plain text • Never, ever store passwords in plain text • Passwords should be stored using a secure hash and a salt: • This is how *NIX does it! • A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length. The values returned by a hash function are called hash values, hash codes, hash sums, checksums or simply hashes.1 • A salt is a string of random bits of data that is appended systematically to a password before hashing and storage remove the ability to use a dictionary attack to break into an account • The salt should be kept private! Not even in GitHub! • The hash function is 1-way, meaning that it is cryptographically secure but cannot be used to get the password from the hashed password 8 hashed_password = hash_function(salt + password) 1. http://en.wikipedia.org/wiki/Hash_function