close search bar

Sorry, not available in this language yet

close language selection

Secure Password Storage

Course Description

Developers have been storing passwords for ages. But did you know that the best practices from 10 years ago are hopelessly outdated? In this course, we look at commonly used but weak password storage mechanisms. Gradually, we work toward the current best practice for storing passwords. A real-life case study shows how to build a layered approach to storing passwords securely.

Learning Objectives

  • Describe the weaknesses for password-based authentication systems
  • Analyze the security of an existing password storage mechanism
  • Implement a password storage mechanism using current best practices
  • Devise a strategy to upgrade an existing legacy and insecure password storage mechanism


Delivery Format: eLearning

Duration: 1 hour 30 minutes

Level: Intermediate

Intended Audience

  • Architect
  • Back-End Developer
  • Enterprise Developer

Course Outline

The Importance of Password Storage

  • The Security Properties of Passwords
  • Data Breaches and Passwords
  • Have I been p0wned?

Why is Password Storage so Difficult?

  • The Insanity of Plaintext Passwords
  • Common Password Storage Mechanisms

Storing Passwords Using One-Way Functions 

  • The Properties of Cryptographic Hash Functions
  • Output Length
  • Example Hash Functions and Attacks Against Them
  • Case Study

Salting Stored Passwords

  • Salting a Password
  • Example Code
  • Salt Effectiveness Against Attack
  • Length Considerations
  • HMACs

Storing Passwords with an Adaptive one-way Functions

  • Properties of Adaptive One-Way Functions
  • Proof of Work
  • Adaptive Property and Tuning
  • Choosing an Adaptive One-Way Function
  • Example
  • Case Study 

Storing Passwords with Encryption

  • The Properties of Encryption 
  • Password Encryption in Practice 
  • Passwords Encryption: Code Examples
  • Security Properties and Weaknesses
  • Encryption's Main Advantage 
  • Case Study

Upgrading Existing Mechanisms

  • Rolling Upgrade
  • Layered Upgrade


  • Normalizing Your inputs
  • Salting Passwords
  • Using an Adaptive One-Way Function
  • Use of a Pepper
  • Upgrading or Rotating Storage/Verification Schemes

Get more course information