A basic question in a security Interview: How do you store passwords in the database?

Explained in 3 mins.

Last week's interview story

Position: junior sec engineer. fresh grad.

Let’s start the interview.

Me: “Here you mentioned having a good understanding of data security. Could you please give me some samples of which part of the data securities?”

A: “Sure. For example, when we build a system there will be a user module, and when we store passwords in the database user table, we need to encrypt it before storing”

Me: “Are you sure it is encryption but not hashing?”

A: “Yes.”

Me: “Then where do you store the keys”

A: “What key?”

Me: “The encryption key which you used to encrypt the password. and it is asymmetric or symmetric encryption? also is it one user per key or the key is shared?”

A: “Hmm. We are not using all these. Then it must be hashing”

Me: “No problem. could you explain why we need to hash it before storing, it instead of storing the plain text?”

A: “Yes. because we want to archive safety. When we validate the password, the password can not be sent as plaintext from UI to the server to do validation”.

Me: “When you register a user, do you need to send the password and confirmation password as…