Secure Passwords: Stop Base64 Encoding

TL;DR

Base64 encoding is not encryption. It’s a way to represent binary data as text, easily reversible. Using it to ‘secure’ passwords or other sensitive credentials is a major security risk. Stop doing that and use proper hashing algorithms with salting.

Why Base64 Encoding Fails

Base64 encoding simply transforms the data into another format. Anyone can decode it. It provides no confidentiality. Think of it like changing the font on a document – the content is still readable, just presented differently.

Steps to Secure Your Credentials

1. Stop Storing Passwords in Plain Text or Base64: This is the most important step. If you’re currently storing passwords this way, you have a serious security vulnerability.
   • If using configuration files, ensure they are not publicly accessible.
   • Never commit credentials to version control (e.g., Git).
2. Use Strong Hashing Algorithms: Employ algorithms designed for password storage.
   • bcrypt: A popular and robust choice, automatically handles salting.
   • scrypt: More memory-intensive than bcrypt, making it harder to crack with brute force attacks.
   • Argon2: The current recommended algorithm, offering strong security features and resistance against various attack vectors.
3. Implement Salting: A salt is a random string added to each password before hashing.
   • Salts prevent attackers from using pre-computed rainbow tables to crack passwords.
   • Each user should have a unique salt.
4. Example (Python with bcrypt): This demonstrates how to hash and verify passwords.

   import bcrypt
   
   def hash_password(password):
     salt = bcrypt.gensalt()
     hashed_password = bcrypt.hashpw(password.encode('utf-8'), salt)
     return hashed_password.decode('utf-8')
   
   def verify_password(password, hashed_password):
     return bcrypt.checkpw(password.encode('utf-8'), hashed_password.encode('utf-8'))
   
   # Example Usage:
   pw = "MySecretPassword"
   hashed = hash_password(pw)
   print(f"Hashed password: {hashed}")
   if verify_password(pw, hashed):
     print("Password matches!")
   else:
     print("Password does not match.")
   

5. Secure Credential Management Systems: Consider using dedicated tools for managing secrets.
   • HashiCorp Vault: A widely used solution for storing and accessing sensitive data.
   • AWS Secrets Manager/Parameter Store: Cloud-based options for securely handling credentials within AWS environments.
   • Azure Key Vault: Microsoft’s cloud-based key management service.
6. Regularly Rotate Credentials: Change passwords and API keys periodically.
   • Automate this process where possible.
   • Enforce strong password policies (length, complexity).

What about inflight credentials?

Inflight credentials are those being transmitted between systems. Base64 encoding offers no protection here either. Use TLS/SSL encryption for all network communication to protect data in transit.

• Ensure your connections use strong cipher suites.
• Implement mutual authentication where appropriate.