Storing passwords

After a strong and secure password was created, it also has to be stored securely. The NIST gives recommendations on how applications should handle passwords and how to store them securely.

How should a password be stored?

• first of all: use encryption and a protected channel for requesting passwords The verifier shall use approved encryption and an authenticated protected channel to resist eavesdropping and MitM (Man-in-the-middle) attacks when requesting memorized secrets.

• resistant to offline attacks Passwords should be stored in a form that is resistant to offline attacks.

• use salts Passwords should be salted before storing them. The salt shall have at least 32 bits in length and should be chosen arbitrarily to minimize salt value collisions among stored hashes.

• use hashing Before storing a password, it should be hashed with a one-way key derivation function. The function inputs the password, salt, and cost factor and then generates a password hash. Examples of suitable key derivation functions:

  • Password-based Key Derivation Function 2 (PBKDF2) (as large as possible ⇒ at least 10.000 iterations)

  • BALLOON

  • The key derivation function shall use an approved one-way function such as:

    • Keyed Hash Message Authentication Code (HMAC)

    • any approved hash function in SP 800-107

    • Secure Hash Algorithm 3 (SHA-3)

    • CMAC

    • Keccak Message Authentication Code (KMAC)

    • Customizable SHAKE (cSHAKE)

    • ParallelHash

• memory hard key derivation function Use memory-hard key derivation functions to increase the needed cost further to perform attacks.

• high cost factor The key derivation function’s cost factor (iteration count) should be as large as verification server performance will allow. (at least 10.000 iterations)