How to Securely Store Passwords in a Database

4 min readOct 21, 2024

Protecting user data has never been more critical in today's digital landscape. One of the most sensitive pieces of information we handle is user passwords. Improper password storage can lead to severe security breaches and damage a company’s reputation and users’ privacy. If you’re developing a web application, it’s important to ensure that passwords are stored securely.

Why Plain Text Passwords are Dangerous

Storing passwords in plain text is one of the serious security mistakes a developer can make. If a data breach occurs, attackers can immediately access all user accounts. Even though it seems obvious, incidents where plain-text passwords are leaked still occur, highlighting the importance of handling passwords carefully.

The Right Approach: Hashing Passwords

When storing passwords, the golden rule is never to save them directly. Instead, apply a one-way function, known as hashing. Hashing transforms a password into a fixed-size string of characters, which is virtually impossible to reverse. Popular hashing algorithms used for this purpose include:

PBKDF2 (Password-Based Key Derivation Function 2): This is widely used due to its adaptive nature, allowing developers to increase the iteration count to make brute-force attacks slower.
bcrypt: Designed specifically for password hashing, bcrypt uses a salt and is computationally expensive, making it difficult for attackers to crack passwords using brute-force methods.

Hashing vs. Encryption

Before we proceed further, it’s essential to distinguish between hashing and encryption.

Hashing is a one-way function. Once you hash a password, you can’t reverse it to obtain the original password. This is perfect for passwords, as you never need to recover the original value, only verify it during login.
Encryption is a two-way process. It involves encoding a password in a way that can be reversed using a decryption key. Encryption isn’t suitable for password storage because it means passwords can be recovered if the decryption key is compromised.

Salting: Adding Extra Security

To make hashed passwords even more secure, you should add salt to the hashing process. A salt is a unique, randomly generated string added to the password before hashing. This ensures that even if two users have the same password, they will have different hashes in the database.

Salts mitigate the risk of rainbow table attacks, where attackers use precomputed tables of hash values to reverse-engineer passwords. By adding a unique salt to each password, the attack becomes much more difficult since the rainbow table would have to be created for each unique salt.

Java Code for Hashing Passwords with a Custom Salt

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;

public class PasswordSecurityUtilWithSalt {

    // Generate a salt using a secure random number generator
    public static String generateSalt() {
        SecureRandom sr = new SecureRandom();
        byte[] salt = new byte[16]; // 128-bit salt
        sr.nextBytes(salt);
        return Base64.getEncoder().encodeToString(salt);
    }

    // Hash a password with salt using SHA-256
    public static String hashPasswordWithSalt(String password, String salt) throws NoSuchAlgorithmException {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update(salt.getBytes()); // Apply salt to the hashing process
        byte[] hashedPassword = md.digest(password.getBytes());
        return Base64.getEncoder().encodeToString(hashedPassword);
    }

    // Verify if a password matches the stored hash (this is just for educational purposes)
    public static boolean verifyPassword(String password, String salt, String hashedPassword) throws NoSuchAlgorithmException {
        String hashToVerify = hashPasswordWithSalt(password, salt);
        return hashToVerify.equals(hashedPassword);
    }

    public static void main(String[] args) throws NoSuchAlgorithmException {
        String password = "mySecurePassword123";

        // Generate salt
        String salt = generateSalt();
        System.out.println("Generated Salt: " + salt);

        // Hash the password with the salt
        String hashedPassword = hashPasswordWithSalt(password, salt);
        System.out.println("Hashed Password with Salt: " + hashedPassword);

        // Verify the password against the stored hash
        boolean isPasswordMatch = verifyPassword(password, salt, hashedPassword);
        System.out.println("Password matches: " + isPasswordMatch);
    }
}

Explanation:

generateSalt(): This method generates a random salt using SecureRandom, which is cryptographically secure.
hashPasswordWithSalt(): It hashes the password with the given salt using the SHA-256 algorithm.
verifyPassword(): Compares the hashed password (generated with the salt) to the stored hash to ensure it matches.

Note:

Unlike bcrypt, which handles salting internally, here we explicitly add a salt to the password before hashing it.
While this example uses SHA-256 for educational purposes, it is generally not recommended to use simple hashing algorithms (like SHA-256) for password storage due to their speed, which makes them vulnerable to brute-force attacks. Always prefer dedicated password-hashing algorithms like bcrypt, PBKDF2, or Argon2.

Conclusion

Storing passwords securely should be a top priority for any developer handling user data. By using hashing algorithms like bcrypt, adding salts, and enforcing strong password policies, you can significantly reduce the risk of unauthorized access. Incorporate these strategies into your development practices, and you’ll be well on your way to building a secure and trustworthy application.

If you found this story helpful, don’t forget to give it a 👏! Follow me for more insights on Java development.

Happy coding! 🎉