Startup Growth Hacks: Manage Credentials and Security Keys

By Kiril V. Kirilov

Storing your passwords in a secure way is as important as creating a password that is not easy to hack. If a software developer is working on an application that uses a QA database or a PROD database, most probably the end-customer will want to access them from a laptop or another mobile device.

You should probably have a script that updates your database but you face the challenge of storing the password and processing it when required. Many people make the mistake of storing their passwords in plain text, which is the worst possible scenario in case of a targeted attack, for instance. We will look at some best practices to store, manage, and communicate passwords and credentials in a secure and safe way.

First of all, if your users are not managing their passwords in the right way, your passwords will never be safe regardless of the fact how and where you store them. One of the former bosses at IBM once said that we couldn't make a safe computer and have secure communication until people stop using sticky notes with their passwords and put them next to their computer.

Then, ask your users and customers to use a secure connection and look for 256-bit encryption when connecting to sites that require a password. Of course, it is best if we always have a secure connection in place by default but it is still impossible.

Well, many companies and services are storing their databases online. Many people think the cloud is not as secure as local storage but the fact is that the cloud has become a much more secure place in the recent years.

Source: Statista

On the other hand, if your cloud storage is not secure, how do you have a secure database to store credentials? Sure, you still should not store credentials in plain text but you also need a secure place to store them, be it in-house or in the cloud. So, selecting a secure cloud service for storing sensitive data is essential.

Let’s assume you are developing an application using Ruby on Rails and you need to store the respective credentials in a safe way. How do you do that?

Many people will tell you that you need to encrypt them. It is a working method but there are modern alternatives such as OAuth. Latest password flows use one-way encryption where you encrypt the password and then just compare an encrypted value in the database. OAuth provides you with the possibility to provide your users with the possibility to have secure access to data without entering any sensitive info to log in.

You should make your database in a way that makes it impossible for decrypting any credentials afterwards. If you store them in plain text, then you risk anyone with the right skills to get your database tables and then access whatever you have stored into them.

When you store hashed passwords i.e. encrypted passwords, a possible security breach will give the hackers encrypted data that will take very long time to decrypt. One thing you should bear in mind is that weak passwords are still vulnerable when you use this method.

A hacker, for example, can encrypt a simple string such as “Wordpass” or “12345” and then compare the hash to every password you have stored into the database. That is why we started with the suggestion to educate your users.

Encryptor is a very simple wrapper for the standard ruby OpenSSL library that you can use to encrypt and decrypt strings. So, this is a method to validate your users by comparing the difference between clear text user info and the hashed password.

Actually, the hashed password is never decrypted to clear text. This very tool is encrypting using several different keys but you still need to add an additional layer of security. How? Just keep your passwords in the database but store the keys in another secure storage.

Bcrypt is a method and library to hash and store passwords. It is using one-way hashes instead of encryption and in fact hashing is irreversible. Encryption and decryption is a two-way method but with hashing you use a secure hash algorithm and then you cannot acquire the original string back.

You can use both synchronous and asynchronous methods with this tool. Bear in mind that hashing is CPU intensive and resource consuming, so a good practice is to use asynchronous approach. The synchronous version will prevent your application from processing other requests before the very hashing is complete. Actually, both of the versions work but if you need better performance you need to use the asynchronous version.

Never store your encryption keys and your credentials in one place. Never store a single password in plain text because this is how you allow for easy hacking. Store these credentials in a safe place as it adds a further layer or security. In addition, use methods that prevent your users from communicating their credentials in plain text.

Like this article? We can help you create valuable content to enhance your online presence.