I'm developing an application where I need to securely manage user passwords. In my setup, when a user creates a password, it's encrypted and stored in the database. Upon login, the user's input password is encrypted again to verify the match with the stored version—pretty standard one-way encryption, right? But I'm curious about how password managers like Google, LastPass, and Apple work. They need to retrieve the actual password to autofill it in apps. This raises a couple of concerns: either they're storing unencrypted passwords or they must be using a weak encryption method. I assume they might rely on a master password as a sort of salt or unique key. So, what am I missing here? This whole process seems pretty insecure to me.
4 Answers
You’ve hit the nail on the head about needing to use hashing for your app! Password managers do encrypt the passwords they store, but they also use a powerful technique called a password-based key derivation function to strengthen security and ensure that even if someone gets hold of the data, it can't be easily decrypted. Always choose a reputable password manager that keeps your master password client-side, too!
A lot of the confusion stems from mixing up hashing and encryption. In reality, respected password managers do things very differently from regular apps since they cater to vastly different security needs. Always be cautious with your choice of providers! Security is context-driven, and different applications require different approaches to maintain integrity.
Couldn’t agree more! You must also monitor how and where these providers store your data to stay safe.
First off, the term you’re searching for is 'hashing,' not one-way encryption. Hashing is what you should be doing with passwords! As for password managers, they actually use strong encryption, but not in the way you're implying. They securely encrypt passwords, which still makes sense for user convenience, allowing them to autofill passwords safely. They don't store unencrypted passwords or weakly encrypted ones that could be easily compromised.
Exactly! Plus, a good password manager encrypts passwords in a way that they can only be decrypted with a strong master password, keeping everything secure.
You mentioned master passwords as salts; actually, they play a crucial role in deriving keys for encryption. Strong password managers don't store your master passwords permanently, which means they can't decrypt your stored passwords like you might think. Everything remains very secure because they are designed to forget your master password immediately after it's used. It's all about dynamics of encryption and secure practices!
Absolutely, the idea is to make sure that even if a breach happens, attackers won’t have access to easily decrypt user passwords without that master key.
Right! They essentially manage the keys securely to protect your data, keeping vulnerabilities at bay. Password managers have robust measures in place.