-1

So how do websites keep passwords long term? I mean really important websites, say a government or a big ecommerce or social networking website.

Sure, they store a hash (or salted hash) of the password in the webserver-connected datastore that is used for authentication, but is that it?

NOTE: I am not asking about hashing or salting, I'm asking about where the store the metadata (e.g., hash or salted hash) such that it's always available?

In fact, how do websites like Facebook store passwords? I'm guessing they would have multiple copies of the hash spread out over the world? And backed up to tape once in a while?

user87219
  • 181
  • 2
  • 10
  • Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt` and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Mar 26 '17 at 01:10
  • I don't know for sure, but usually they use the two mechanism you described. Replication (Copying the data over multiples instances) and backups. Both depend on the database you are using, so there is no single answer for this, but most database engines implement those. If you want to use those yourself, look up how to setup replication and backups for your specific database engine. – Lunar Mar 26 '17 at 15:53

2 Answers2

1

You only need the hash of the user's password for most applications. Usually, the actual password isn't stored, for security reasons. If the datastore is compromised, you wouldn't want the hacker to be able to gain the actual passwords for the users.

That's usually why, actually, the hashes are salted in the first place. Salting makes it much harder to use a rainbow table (a precomputed table of all possible combos for passwords going through a certain type of hash) to regain the original password, which the user may be using on other sites.

This was answered in more depth here: Best way to store password in database

Community
  • 1
  • 1
Anish Goyal
  • 2,799
  • 12
  • 17
0

the question is too broad to answer. It isn't just relevant for government web pages; it would be a real security issue if there are clear text passwords stored. Depending on security needs, there are password hashes used in most cases. If users need a certificate (e.g. stored on a card, or obtained using another process), there might be a public key of the user stored on the server (instead of the hash).

Your question also asks on completely different topics. For sure, a web backend database also needs backups (not only for passwords), and there are several load balancing techniques which may also consider geolocation topics etc.

Christoph Bimminger
  • 1,006
  • 7
  • 25