Secure Password Storage in Text Files

G5 Cyber Security

2 weeks ago

TL;DR

Storing passwords directly in text files is highly insecure. This guide explains why and provides the *least bad* options if you absolutely must do it, focusing on hashing and salting. However, using a dedicated password manager or secure vault is strongly recommended.

Why Storing Passwords in Text Files is Bad

Plain text passwords are easily readable if the file is compromised (e.g., hacked, accidentally shared). Even with file permissions set correctly, it’s a significant risk.

The Least Worst Approach: Hashing and Salting

Hashing transforms a password into an irreversible string of characters. Salting adds a random value to each password before hashing, making rainbow table attacks much harder. Here’s how:

Choose a Strong Hashing Algorithm: Use bcrypt, scrypt, or Argon2. These are designed for password storage and are slow (which is good – it makes brute-force attacks slower). Do not use MD5 or SHA1; they’re outdated and easily cracked.
Generate Salts: Each password needs a unique salt. A salt should be at least 16 bytes long, randomly generated.
Hash with Salt: Combine the salt and password before hashing.
Store Salt and Hash: Store both the salt and the hash in your text file, separated by a delimiter (e.g., a colon). Never store the original password!

Example using Python

This example uses the bcrypt library. You’ll need to install it first: pip install bcrypt.

import bcrypt

def hash_password(password):
    salt = bcrypt.gensalt()
    hashed_password = bcrypt.hashpw(password.encode('utf-8'), salt)
    return salt, hashed_password.decode('utf-8')

def verify_password(password, stored_hash, stored_salt):
    hashed_password = bcrypt.hashpw(password.encode('utf-8'), stored_salt.encode('utf-8'))
    return hashed_password == stored_hash.encode('utf-8')

# Example Usage
pw = "mySecretPassword"
salt, hash = hash_password(pw)
print(f"Salt: {salt}")
print(f"Hash: {hash}")

# To verify:
if verify_password(pw, hash, salt):
    print("Password verified!")
else:
    print("Incorrect password.")

File Format

Your text file should look like this (one password per line):

salt1:hash1
salt2:hash2
salt3:hash3

Important Considerations

File Permissions: Set strict file permissions (e.g., 600) so only the owner can read and write to the file. On Linux/macOS, use chmod 600 passwords.txt.
Encryption: Consider encrypting the entire file at rest using a tool like GPG or LUKS for an extra layer of security.
Regularly Rotate Salts: Change salts periodically to mitigate potential attacks.
Avoid storing sensitive data: If possible, avoid storing passwords in text files altogether. Use dedicated password managers instead.

Alternatives (Strongly Recommended)

Password Managers: LastPass, 1Password, Bitwarden are excellent choices. They handle hashing, salting, and encryption for you.
Secure Vaults: HashiCorp Vault provides a secure way to store secrets, including passwords.