A short introduction to password storage

If you need to store passwords to secure an application, you need to understand that you hold a major responsibility.

Plain text storage

First, you don't store passwords as is. Someone (such as a hacker) who manages to access the password repository would easily be able to steal them as they are stored in plain text. Not good!

Under the GDPR, you would be in breach of Art 5.1.f, Art 24 and Art 32. The relevant data protection supervisory authority (DPC, CNIL etc) wouldn't be too impressed. More importantly, you are putting the data of people at risk.

Plain text storage is a NO NO NO.


Password need to be stored encrypted, with irreversible encryption (hash). If the encryption is reversible, one simply needs the key and the passwords can be stolen. Not good either!

You would still be in breach of  Art 5.1.f, Art 24 and Art 32 because you still wouln't have had implemented "state of art" protection of data.

Even with one way encryption, the passwords aren't safe! Computers are powerful enough these days to take entire dictionaries as well as passwords from previous data breaches, encrypt them with the same hashing encryption as above and by comparison of the hash strings, retrieve the passwords.

If you let users choose passwords, ensuring the use a short sentence (eg adding spaces) would improve the security as it wouldn't be one dictionary word to compare, but multiple combined. Forcing the use of special characters not found in a dictionary (eg €$%-:) will make things more difficult for word comparison. 

This isn't enough though!


Encryption and cooking have an analogy.

  • With cooking, you would often add a moderate amount of salt to improve the taste.
  • With encryption, add salt will improve security.

For encryption, you don't use real salt, of course! You add some data before and after the password prior to encryption (salting). With the salt, comparing the hash against dictionary words is more complicated.


  • Your password is
    • "the cat is playing with a mouse" without salt.
    • Sha256 hash: F854AFE0F34E2B4450016D63A0999B93CCB817AE4238C8BC7ECD68861C2F724A
  • Random string one "7F815C19-E630-BA19-554995C3217A88D0"
  • Random string two "7F85040F-CF59-BB81-9E75B677ED1C6E48"
  • Your "new" password is:
    • "7F815C19-E630-BA19-554995C3217A88D0 the cat is playing with a mouse 7F85040F-CF59-BB81-9E75B677ED1C6E48" without salt.
    • Sha256 hash: 2C952D7F96CAEC0E74CE682B63D382239A0BEF36BDE76A7EB503210347CEFD62"

Where do you store the salt?

Not in the same place you store the encrypted passwords. A hacker would hit five gafam with the same stone (expression adjusted from "hitting two birds with one stone"  to respect birds and biodiversity and -hopefully- make you smile).

There is more to it, but one needs to start somewhere. So if you need to add security to a piece of software, make sure you are trained properly, seek for advice and get the end piece tested.

Multi factor authentication through an app will add an extra level of security, but that's for another day.

Claude Saulnier

Brand Ambassador

Post Scriptum (PS):

  • Interact on the matter through this Linkedin post
  • We have a LinkedIn page that we use to share some update. . Feel free to visit and help us share a positive vibe.