How are user passwords managed and validated in databases?

Did you know, back in 2005, Reddit developers confirmed that a hacker had stolen backup copies of their database that contained password information for Reddit users in plain text!!

Yes you read that right!

The password information was stored as plain, unprotected text. In other words, once the hacker had the database, he had everyone’s passwords as well.

If you are storing passwords of your user's in a database, you are committing a big mistake! All it does is weaken the security of your web site, needlessly putting your users, your employer, and yourself at risk.

Is converting passwords into hashes and storing them in the database enough ?

Hashing is usually a one-way function where once you hash any field, you get a string of characters representing the original text but there is no way to convert it back to the original text.

But still, storing password hashes directly is not sufficient because it is pruned to precomputation attacks, such as rainbow tables.

Hence, before computing the hash, it's always a good idea to append the password with a "salt". A salt is a unique, randomly generated string that is added to each password as part of the hashing process.

In practice, the salt is stored in plaintext along with the hash and the username in the database so that when the user logs in, the salt can be looked up and appended to the provided password, hashed and then verify if the stored hash matches the computed hash.

Had the folks at Reddit salted and hashed the passwords and then stored the salts and resulting hashes in the database instead, the hacker would have been in a very different situation.