Don't store passwords in database?

Question

Where might someone keep them besides a database? By storing passwords elsewhere I mean a non-traditional database.
Allow me to explain. A couple of my friends run high security websites. They needed someone to pentest their website and see if someone could steal passwords. So naturally they asked me if I would do it. I was able to gain access to the server and database, but no passwords or even email addresses. All of the user information was non-existent. I asked them how they did it, but they wouldn't tell me. They didn't use authentication tokens or one time passwords.

What other methods are their to store passwords so that even if a hacker compromises the server it would be extremely difficult for him to get any user information, not even a hashed password?

EDIT: I'm not asking how to hash password, I'm asking what alternatives exist for storing a passwords in a non-traditional database.

EDIT #2: Article was removed because of criticism

Someone find the list of questions this is a duplicate of, and mark this question as a duplicate of them. It's a "How do I handle passwords?" question like [this one](http://security.stackexchange.com/questions/31742/how-to-provide-security-for-passwords-stored-in-database?rq=1) or [this one](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords). — Parthian Shot, Jul 24 '15 at 01:07
As the article you linked to makes abundantly clear, it is exactly that. These people aren't saying "store the passwords somewhere else", they're saying "apply a one-way function to the passwords, and store the result in your database, **while throwing the password away entirely**". Which, incidentally, is answering the question "How do I handle passwords?". You may genuinely believe that isn't what your question boils down to, but I am willing to bet an impressive sum of money you'd be incorrect in that belief. Your friends are storing **authentication tokens** derived from passwords. — Parthian Shot, Jul 24 '15 at 06:38
If that is truly your question, then this isn't an InfoSec question. "Where to store" properly hashed and salted passwords is merely a programatic issue and not a security one. Because you asked it here, and because your link quickly talks about hashing (and you don't), it is understandable that the simplest answer is "hash". — schroeder, Jul 24 '15 at 17:46
Snewman - couple of things: 1 - we have a rule: Be NICE! Any more offensive comments from you and you'll earn a suspension. 2 - *listen* to all the comments you are getting from experienced professionals. 3 - You don't appear to be asking the right question - you are playing with the definition of *database' without reading the comments. Of course banks use databases - they have to. That's sort of the definition of where they store data. Schroeder has it right there. Please revisit our [about] and [ask] pages for guidance. — Rory Alsop, Jul 24 '15 at 20:30
Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/26289/discussion-on-question-by-snewman8771-dont-store-passwords-in-database). — Rory Alsop, Jul 27 '15 at 09:04

score 3 · Answer 1 · answered Jul 24 '15 at 00:39

3

As the linked article states, you should hash the password, and then store that in the database. bcrypt is the current standard recommendation in terms of password hashing, and has easily-used implementations in many languages.

The intent behind "never store passwords in the database" is not "store it outside of the database"; the intent is "never store plaintext passwords, at all".

answered Jul 24 '15 at 00:39

Soron

2,809
1
12
19

But many websites claim to not keep the passwords in the database. I don't want to give any references on this as they are my aquantinces websites and I've seen their databases and they dont keep passwords in the databases – Snewman8771 Jul 24 '15 at 00:42
1

As @Ethan says, the key point is "Store the **salt and hash – not the (plaintext) password** – in your database.". The article you are referring to explicitly states this. If the systems you are referring to do not even store the hashed password in the database, they might use some other credential store like a wallet or LDAP (which are, strictly spoken, also "databases" on their own, just not RDBMSs) – Andreas Fester Jul 24 '15 at 06:19
@Andreas ahh thank you. Thats the answer I was looking for – Snewman8771 Jul 24 '15 at 12:47

score 0 · Answer 2 · answered Jul 24 '15 at 06:34

0

Indeed the title of the article you linked to is misleading/confusing. Storing passwords in plain text is a very bad thing to do, yes; but storing them hashed in a DB is not a problem because, by principle, hashing functions are a one way process.

It is better to deal with forgotten passwords as StackExchange websites do because:

Hashed passwords are useless even when the DB table that stores them is compromized
It forces the users to change their password: which thing is a good security practice.

answered Jul 24 '15 at 06:34

1

I would argue that hashed passwords aren't useless. Most people pick a simple password. – Snewman8771 Jul 24 '15 at 13:03
@Snewman8771 yes, that is what i said :) – Jul 24 '15 at 13:24
2

@Snewman8771 "hashed and salted" solves the simple password problem. – schroeder Jul 24 '15 at 17:49
1

@schroeder it doesnt. If the person has access to the webites database. Then it wouldnt be that difficult to obtain the salt algorithm from the server and as far as hashing goes there are many hash tables that exist with many of the most common passwords. MOST people use a simple password. I've seen it happen many many times. Thus the reason why passwords and email addresses are leaked all the time after a websites gets hacked – Snewman8771 Jul 24 '15 at 18:15
1

@schroeder salting and hashing would do fine for a website that didn't store that much valuable data. Here is an article on cracking salted passwords. https://www.exploit-db.com/docs/Cracking_Salted_Hashes.pdf thus your argument is void and I hope you read it. Many secure websites use sha512 and DONT store passwords in a traditional database, such as MySQL or Postgre – Snewman8771 Jul 24 '15 at 18:39
1

I read it just now and there are numerous errors in the first 2 pages alone. I'm afraid that you are getting bad advice. – schroeder Jul 24 '15 at 22:55

Don't store passwords in database?

2 Answers2