Storing User Passwords in a Database: Best Practices and Implementation

In today’s digital age, the security of user data is paramount. One of the most sensitive pieces of information a system can handle is user passwords. Mismanagement of passwords can lead to severe consequences, including data breaches and loss of user trust. This blog post will explain why even administrators should not know user passwords, how passwords should be securely stored, and how to implement a hash+salt system in TypeScript using bcrypt.

Why Even Admins Should Not Know User Passwords

1. Privacy: Users have a right to privacy. Passwords often serve as keys to multiple accounts, and knowing a password could expose unrelated accounts.
2. Security: If an admin’s account is compromised, knowledge of user passwords could allow attackers to escalate their access.
3. Trust: Users trust platforms to keep their data safe. Knowing their passwords would undermine this trust.
4. Liability: Organizations can be held legally responsible for negligent handling of sensitive information, including plaintext passwords.

How to Store Passwords Securely

Storing passwords securely means ensuring that even if the database is compromised, the actual passwords are not directly accessible. This is achieved through:

1. Hashing:
   • A one-way function that converts a password into a fixed-length string (hash).
   • Examples: bcrypt, Argon2, PBKDF2.
2. Salting:
   • A unique random value added to the password before hashing.
   • Prevents attackers from using precomputed hash tables (rainbow tables) to crack passwords.
3. Iterative Hashing:
   • Repeatedly applying the hash function to increase computation time, making brute-force attacks less feasible.
4. Never Storing Plaintext Passwords:
   • Plaintext storage is a critical security flaw that should always be avoided.

What Are Salt and Hashing Algorithms?

• Hashing:
  • Irreversible transformation of data.
  • Example: The password "mypassword" hashed with bcrypt might result in $2b$10$eP....
• Salting:
  • Random data added to passwords before hashing.
  • Example: Password "mypassword" + salt "abc123" becomes "mypasswordabc123".
• Hashing Algorithms:
  • bcrypt: Widely used, includes a salt by design, and allows for adjustable computational cost.
  • Argon2: Winner of the Password Hashing Competition (PHC), designed for modern systems.

Implementing a Hash+Salt System in TypeScript with bcrypt

Below is a simple implementation using the bcrypt library in TypeScript:

1. Setup:

Install bcrypt using npm:

bash📋
npm install bcrypt

2. Code Implementation:

typescript📋
import bcrypt from 'bcrypt';

const SALT_ROUNDS = 10; // Adjust based on your system's capacity
const SECRET_KEY = process.env.SECRET_KEY! // Use an environment variable

// Hashing a password
async function hashPassword(plainPassword: string): Promise<string> {
   const salt = await bcrypt.genSalt(SALT_ROUNDS);
   const hashedPassword = await bcrypt.hash(plainPassword, salt);
   return hashedPassword;
}

// Verifying a password
async function verifyPassword(plainPassword: string, hashedPassword: string): Promise<boolean> {
   return await bcrypt.compare(plainPassword, hashedPassword);
}

// Example usage (must run on a secure server environment)
async function main() {
   const password = 'mySecurePassword123';
   const hashed = await hashPassword(password);
   console.log('Hashed Password:', hashed);

   const isMatch = await verifyPassword(password, hashed);
   console.log('Password Match:', isMatch);
}

main().catch(console.error);

3. Explanation:

• SALT_ROUNDS: Determines the computational complexity of generating the salt.
• bcrypt.genSalt(): Generates a random salt.
• bcrypt.hash(): Combines the password and salt, then hashes the result.
• bcrypt.compare(): Verifies if a plaintext password matches the hashed one.
• SECRET_KEY: Uses an environment variable to manage sensitive information securely.

Final Thoughts

Properly storing passwords is non-negotiable in any application handling user data. By hashing passwords with a unique salt and using secure algorithms like bcrypt, you significantly reduce the risk of password-related breaches. Remember, security is an ongoing process—stay informed and adapt to emerging threats and technologies.

By following these best practices, you’ll not only protect your users but also strengthen the trust and integrity of your platform.