TL;DR
Storing passwords directly in text files is highly insecure. This guide explains why and provides the *least bad* options if you absolutely must do it, focusing on hashing and salting. However, using a dedicated password manager or secure vault is strongly recommended.
Why Storing Passwords in Text Files is Bad
Plain text passwords are easily readable if the file is compromised (e.g., hacked, accidentally shared). Even with file permissions set correctly, it’s a significant risk.
The Least Worst Approach: Hashing and Salting
Hashing transforms a password into an irreversible string of characters. Salting adds a random value to each password before hashing, making rainbow table attacks much harder. Here’s how:
- Choose a Strong Hashing Algorithm: Use bcrypt, scrypt, or Argon2. These are designed for password storage and are slow (which is good – it makes brute-force attacks slower). Do not use MD5 or SHA1; they’re outdated and easily cracked.
- Generate Salts: Each password needs a unique salt. A salt should be at least 16 bytes long, randomly generated.
- Hash with Salt: Combine the salt and password before hashing.
- Store Salt and Hash: Store both the salt and the hash in your text file, separated by a delimiter (e.g., a colon). Never store the original password!
Example using Python
This example uses the bcrypt library. You’ll need to install it first: pip install bcrypt.
import bcrypt
def hash_password(password):
salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(password.encode('utf-8'), salt)
return salt, hashed_password.decode('utf-8')
def verify_password(password, stored_hash, stored_salt):
hashed_password = bcrypt.hashpw(password.encode('utf-8'), stored_salt.encode('utf-8'))
return hashed_password == stored_hash.encode('utf-8')
# Example Usage
pw = "mySecretPassword"
salt, hash = hash_password(pw)
print(f"Salt: {salt}")
print(f"Hash: {hash}")
# To verify:
if verify_password(pw, hash, salt):
print("Password verified!")
else:
print("Incorrect password.")
File Format
Your text file should look like this (one password per line):
salt1:hash1
salt2:hash2
salt3:hash3
Important Considerations
- File Permissions: Set strict file permissions (e.g., 600) so only the owner can read and write to the file. On Linux/macOS, use
chmod 600 passwords.txt. - Encryption: Consider encrypting the entire file at rest using a tool like GPG or LUKS for an extra layer of security.
- Regularly Rotate Salts: Change salts periodically to mitigate potential attacks.
- Avoid storing sensitive data: If possible, avoid storing passwords in text files altogether. Use dedicated password managers instead.
Alternatives (Strongly Recommended)
- Password Managers: LastPass, 1Password, Bitwarden are excellent choices. They handle hashing, salting, and encryption for you.
- Secure Vaults: HashiCorp Vault provides a secure way to store secrets, including passwords.