In my applications, I manage many passwords: database, users, API…

All are critical, but I store them in different systems depending on their usage.

In the following article, I describe 3 ways to store passwords securely.

Don’t Store

The first rule of storing passwords is not to store passwords.

Any application can be hacked, and passwords are critical information. Avoid storing raw passwords at all.

But if I need to store passwords somewhere, depending on their purpose, I have several options.

For Users

To store my passwords, I use a password management tool like Keepass.

There I store passwords like Gmail, Netflix, Amazon and other websites that I use daily.

With a tool like Keepass, I generate complex and different passwords for each website. And I only have a single password to remember to unlock my database.

I used to have a separate database for professional passwords.

For API

Let’s now talk about passwords in an application. What if I need to store users’ passwords in my application to check later their authentication?

I store hashed passwords and one-way hashed passwords. This means that from the original password, I create a hash value. But from the hash value, it’s impossible to recover the original password.

This way, even if my database is compromised, the hacker will have access to hashed passwords but not the original ones.

And how do I verify if the user’s password is correct? I hash the received password and compare the value with the stored hash value.

For Systems

Finally, what if my application needs to use a password to connect to another system? Like a database or an external API.

I use Vault or a secret manager. It’s like keepass, but for applications.

Conclusion

Passwords are critical, as they allow us to access confidential data and modify it. I must store it in the most secure part of my application. And most of the time, in a separate and much more protected application.