I’ve just come back from OWASP NZ Day 2020, held at Auckland University this February. As well as seeing some excellent presentations I was also able to present a talk on how developers can store their users’ passwords safely.
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
You can flick through the slides here: https://www.slideshare.net/NickMalcolm/a-recipe-for-password-storage-add-salt-to-taste
I’ll update this post once the MP3 recording, and links to other great talks from the conference, become available.