- do not store cleartext
- encrypt password with proven cryptographic hash algorithms
- add salt to protect hashed password from rainbow attacks
- iterations of processing = salt rounds, improves randomness
Salting is the application of a hash function to a sequence of bits in order to randomize that sequence of bits.
- Salting protects attackers from viewing the hashed password. If we can view the hashed password and compare it amongst other passwords, then we can guess the hash function used to encrypt the password.
- If we knew the hash algorithm, we could do a brute force attack; generate every possible string and hash it.
- A precomputed table for caching the output of cryptographic hash functions
- Used for cracking password hashes
- Suppose an attacker steals passwords from your site. Using the list, they check if any of the stolen passwords exist on the table
mypassword123 -> R1(mypassword123) -> h43dn8b -> R2(h43dn8b) -> thheh40xnccif so, they now have access to an account and the crypto hash function used in your site
At the time of writing this, no, not necessary, because I'm using node bcrypt to handle the salt generation. All that's needed is to store the hashed password.