Password Storage Tier List: encryption, hashing, salting, bcrypt, and beyond

S tier is trash, if google decides they don't like who you voted for, they remove your account. no good having a password on there then.

Really makes you appreciate public-key cryptography. Alas, the average human is not very good with this concept, and struggles to even use passwords correctly. :(

Another way to not need a password is a private key (either a file on you disk or a ubikey). Especially for ssh the recommendation is to not use a password, but just a private key

Another way to stop dictionary attacks is to not allow users to pick their shitty passwords, but just give them a randomly generated string that they should remember/store

I would say two-factor authentication (2FA) is S tier?

What music is this? I really like it!

The "S tier" is terrible. I would never use a website where I HAVE to use google/fb to log in.

What about using a private key / public key algorithm where the public key is computed from the private key, and the private key is the result of a slow salted hash. This would have the benefit that even at login, the password and private key wouldn't even have to leave the user's device.

Is there a reason you didn't mention peppering?

That's quite an important technique, as it renders dictionary attacks completely useless, even with really bad passwords.

S Tier can be most vulnerability when user use there nickname+birthday as 8 digits password for Google Account and no 2-factor auth. Also you have to pay for using there API.

Very good, short and informative video

heh, correct horse battery staple. Nice reference

Trusting google & Facebook is the end solutions... oh, ok... Oo

For S tier, there's also WebAuthn

Problem with S tier is possibly losing access to the third party account. Big Tech Company might do something stupid like Nymwars again. Compartmentalization is nice; I'd rather have to respond to the occasional website breach than risk everything. Though, that depends on using a password manager right...

I was on board until you recommended login with Google or Facebook

absolutely unclear what's the difference between Dictionary attack and Rainbow table?

What stops hackers from just grabbing the entire raw table, and decrypting it on their end in their leisure?

SRP aka secure remote password is an option if you want oauth level security without oauth providers.

Really amazing video! It's so clear that everyone could understand it, but still gives the intendend information. Congratulations! New susbscriber gained ;)

Legit question nobody asks. What do you do when an authenticator gets decomissioned and the user set no fallback password no nothing :D or what if it goes under some attack or is otherwise temporarily inaccessible. Is it supposed to be of no concern to small operations? Maybe but unfortunately I have my standards... Though I love paswordless world, there is nothing like exchange of the public key

What about secure remote password (SRP)? I think that's the real S tier.

Lololol! Amazing. This is my life right now. It's not even an exaggeration.

Another S tier would be cryptographic signing using key pairs.

One more architectural way to store credentials (not necessarily passwords) is to store them in a separate database which is only accessible by other systems, so there are no credentials for the database to speak of. This requires a third "party" in communication between systems, which manages accounts and credentials and rotates them (generates new credentials) periodically, called Identity Authentication Service (IAS). This is widely used in cloud systems (AWS, Google Cloud Platform, Azure, etc).

I hate S tier honestly.

On Security: That means that your users will have one point of failure: Google, Facebook, etc. Not great. If their Google Account is hacked the hacker has their complete online identity with this method.

On Usability: You force your users to have one of these services and also tell these services that they use your service. Not great for user privacy.

My favorite solution to this problem: Don't try to reinvent the wheel. Use off-the-shelf password solutions for the environment you work in. There are many great and widely tested libraries that you can use.

So good. Great job

this is probably the first time I've understood what salting actually does, bravo

Congrats, this is an S tier video!

I'm working on an idea.
Your comments/input would be appreciated.

Basically, even if a password is breached it will still result in garbled or zero-byte files when used , unless the manipulated byte order is restored. For this, a BOMKey (Byte Order Manipulation Key) needs to be provided for the password to trigger the release of the files in their correct binary order, otherwise they simply remain in their corrupted state.

Because the BOM is not set to any algorithmic pattern, it remains random and therefore nearly impossible to guess.

I have tested this by attacking a simple 2-character password-protected zip archive with Hashcat and John the Ripper.
The password is easily discovered, but extracts garbled files due to the missing Byte Order Key.

How bout srp?

Another point: Don't store the authentication data in the same database as the application data. That way if you have an SQL injection vulnerability in the application code, the attacker still can't read the authentication data (because the SQL doesn't run on that database).

Using third-party login however has privacy issues. As user, I avoid that option wherever possible.

I think you were write about the “Don’t store passwords”, but you went about it the wrong way. The right way would be something like using the SRP (Secure Remote Password) algorithm, which doesn’t store the password or it’s hash, rather than making your application a hostage to these companies

insanely good content, keep it up! very very very underrated

best video for understanding how hashing works !!

very Informative and simple to understand.

Excellent video with a simple explanation, the simple example you talked about Hashing is AMAZING - the brown color - it's just a smooth, attention-grabbing and not boring at all video, keep up with your good stuff

this video was very helpful! I wanted to try making a hashing algorithm for something, but I didn't know how to make it until now. thanks!

edit: I was sucessfully able to make a slow hashing algorithm that takes like 3 seconds to complete on my slow laptop.

but during login how we know the salt because it already saved on server.

Maybe S tier is 2FA: PW + finger print / TAN generator / SMS / ...

What about sha512? Is it not sufficient to secure the passwords?

Great video!

S Tier, make other people store passwords so you don't have to B)

Crystal clear and to the point explaination in a minimal time.Great work!

len(password) < len(hash), otherwise ...

pidgeon hole principle: if there are more pidgeons then holes, then at least one hole must have more then one pidgeon in it.

Doest that mean that longer passwords are less secure?

Awesome work, thanks for that clarifications! It's insanely easy to understand using this video. Will suggest everyone who needs to understand how it works.

Thanks! Well explained differences.