Table of Contents

    Password Handling Basics

    Programming Mastery

    Password Handling Basics

    Learn how to handle passwords safely using validation, secure storage, hashing, salting, reset flows, login protection, and secure coding habits.

    Introduction

    Password handling means managing passwords safely throughout their life cycle: registration, login, storage, reset, update, verification, and account protection.

    Passwords are one of the most common ways users prove their identity. Because passwords protect accounts and private data, developers must handle them carefully.

    Password handling is not only about checking whether a password is correct. It is about protecting passwords from exposure, misuse, guessing, theft, and unsafe storage.

    A secure application should never store plain-text passwords, never expose passwords in logs, never send passwords carelessly, and never hardcode credentials in source code.

    Easy Real-Life Example

    Password Handling as Protecting a Locker Key

    Imagine a locker key. If anyone gets the key, they can open the locker. So, you do not leave the key openly on a table. You protect it, avoid sharing it, and use extra security when needed.

    Locker Security:
    - Do not leave key openly
    - Do not share key carelessly
    - Use strong lock
    - Change lock if key is lost
    - Add extra security for valuable items
    
    Password Security:
    - Do not store plain-text passwords
    - Do not expose passwords in logs
    - Use secure password hashing
    - Support password reset safely
    - Use MFA for sensitive accounts

    Passwords are like digital keys. If they are handled poorly, accounts and data become unsafe.

    What is Password Handling?

    Password handling is the set of practices used to safely collect, verify, store, reset, update, and protect passwords.

    It includes both user-facing behavior and backend security controls.

    Key Idea: A system should be able to verify a password without storing the original password in readable form.

    Why Password Handling is Important

    Passwords protect user accounts. If passwords are handled incorrectly, attackers may gain access to private information, admin features, financial data, student records, or business systems.

    Password Handling Helps To

    • Protect user accounts.
    • Reduce risk from database leaks.
    • Prevent plain-text password exposure.
    • Support secure authentication.
    • Reduce account takeover risk.
    • Improve user trust.
    • Protect sensitive application features.
    • Support security-focused development practices.

    What Can Go Wrong with Poor Password Handling?

    Poor Password Handling

    • Passwords are stored as plain text.
    • Passwords are printed in logs.
    • Passwords are sent through unsafe channels.
    • Hardcoded admin credentials are used.
    • Password reset links never expire.
    • Weak passwords are accepted without control.
    • Unlimited login attempts are allowed.
    • Password values are exposed in error messages.

    Secure Password Handling

    • Passwords are never stored as plain text.
    • Passwords are stored using secure hashing.
    • Each password gets a unique salt.
    • Sensitive values are not logged.
    • Reset links expire and are single-use.
    • Login attempts are monitored and controlled.
    • Generic login error messages are used.
    • MFA is used for extra protection when needed.

    Principle 1: Never Store Plain-Text Passwords

    Plain-text password storage means saving the actual readable password in a database or file.

    This is extremely unsafe because anyone who gains database access can read all passwords directly.

    Bad Practice

    username: "student01"
    password: "MyPassword123"

    Better Practice

    username: "student01"
    passwordHash: "stored_secure_password_hash"

    The system should store a secure password hash, not the original password.

    Principle 2: Use Password Hashing

    Hashing converts a password into a fixed output value using a one-way process.

    One-way means the application should not be able to convert the hash back into the original password.

    User password:
    MyPassword123
    
    Hashing process:
    MyPassword123 → secure hash value
    
    Database stores:
    secure hash value

    During login, the entered password is processed again and compared with the stored hash.

    Password Verification Flow

    Registration:
    1. User creates password.
    2. System validates password.
    3. System hashes password using secure password hashing.
    4. System stores the password hash.
    
    Login:
    1. User enters password.
    2. System hashes the entered password.
    3. System compares it with stored password hash.
    4. If they match, authentication succeeds.
    Important: The system verifies passwords without needing to store the original password.

    Hashing vs Encryption

    Hashing and encryption are different. Students must understand this difference clearly.

    Hashing Encryption
    One-way process. Two-way process.
    Original password should not be recoverable. Original data can be recovered with a key.
    Best for password storage. Best for data that must be read again later.
    Used to verify passwords. Used to protect readable data.

    Principle 3: Use Slow Password Hashing Algorithms

    Password hashing should be intentionally slow enough to make guessing attacks more difficult.

    General fast hash functions are not ideal for password storage because attackers can try many guesses quickly.

    Password Hashing Algorithm Examples

    • Argon2id.
    • bcrypt.
    • PBKDF2.
    • scrypt.

    In real projects, developers should use trusted libraries and framework-supported password hashing functions instead of creating custom password hashing logic.

    Principle 4: Use Salt

    A salt is a unique random value added to each password before hashing.

    Salting helps ensure that two users with the same password do not have the same stored hash.

    User A password:
    Password123
    
    User A salt:
    randomSaltA
    
    User A hash:
    HASH(Password123 + randomSaltA)
    
    
    User B password:
    Password123
    
    User B salt:
    randomSaltB
    
    User B hash:
    HASH(Password123 + randomSaltB)

    Even though both users used the same password, their stored hashes become different because their salts are different.

    Principle 5: Understand Pepper

    A pepper is an additional secret value used with password hashing as defense in depth.

    Unlike a salt, which is usually stored with the password hash, a pepper should be protected separately in a secure configuration or secrets management system.

    Beginner Note: Salt is unique per password. Pepper is a protected application-level secret.

    Principle 6: Validate Password Input

    Password fields should be validated during registration, login, password update, and reset.

    Password Input Checks

    • Password should not be empty.
    • Password should meet minimum length rules.
    • Password should not be an extremely common password.
    • Password confirmation should match during registration or reset.
    • Password field should not be logged or displayed.
    • Password should be transmitted through secure channels.

    Principle 7: Encourage Strong Passwords

    Strong passwords reduce the chance of successful guessing attacks.

    Modern password guidance often favors longer passwords and passphrases instead of forcing confusing short patterns that users cannot remember.

    Weak Password Idea Stronger Password Idea
    123456 A longer unique passphrase.
    password A unique password generated by a password manager.
    Same password for many sites. Different password for each account.

    Principle 8: Do Not Log Passwords

    Logs are useful for debugging and monitoring, but passwords must never be written into logs.

    Bad Logging

    LOG "Login attempt: email=student@example.com password=MyPassword123"

    Safer Logging

    LOG "Login attempt failed for user identifier."

    Log useful security events, but avoid storing secrets or sensitive values.

    Principle 9: Never Hardcode Passwords

    Hardcoding passwords means placing passwords directly inside source code.

    Bad Practice

    databasePassword = "AdminPassword123"

    Better Practice

    databasePassword = GET_SECRET("DATABASE_PASSWORD")

    Credentials should be stored in secure configuration or secret management systems, not inside code.

    Principle 10: Use Safe Login Error Messages

    Login error messages should not reveal whether the username exists or whether only the password was wrong.

    Unsafe Error Messages

    "Email exists but password is wrong."
    "User not found."

    Safer Error Message

    "Invalid username or password."

    A generic error message gives less useful information to attackers.

    Password Reset Basics

    Password reset is a sensitive feature because it can be misused to take over accounts.

    Secure Password Reset Habits

    • Do not send the existing password to the user.
    • Use a temporary reset link or verification code.
    • Make reset links or codes expire.
    • Make reset links or codes single-use where possible.
    • Do not reveal whether the email exists.
    • Notify the user after password reset.
    • Require the new password to be securely stored as a hash.

    Bad Reset Flow

    User clicks "Forgot Password"
    System emails the old password to the user

    Better Reset Flow

    User clicks "Forgot Password"
    System sends temporary reset link
    User creates a new password
    System hashes and stores the new password
    Reset link becomes invalid

    Passwords and MFA

    Passwords can be stolen, guessed, reused, or leaked. Multi-Factor Authentication, or MFA, adds another layer of protection.

    Password-only login:
    User enters password.
    
    MFA login:
    User enters password.
    User also verifies using OTP, authenticator app, security key, or another factor.

    MFA is especially useful for admin accounts, sensitive applications, financial operations, and high-risk actions.

    Login Attempt Protection

    Password systems should be protected from repeated guessing.

    Protection Ideas

    • Detect repeated failed login attempts.
    • Slow down repeated attempts where appropriate.
    • Monitor suspicious login behavior.
    • Use MFA for high-risk accounts.
    • Notify users about suspicious activity when appropriate.
    • Log authentication failures safely without logging passwords.

    Password Handling and Sessions

    After a user successfully logs in, the application usually creates a session or token.

    The password should not be repeatedly stored or sent with every request. Instead, the application should use secure session or token handling after authentication.

    Good flow:
    1. User enters password during login.
    2. Password is verified.
    3. Secure session or token is created.
    4. Future requests use the session or token.
    5. Password is not sent again with every request.

    Real-World Example: E-Commerce Password Handling

    Feature Secure Password Handling Practice
    Registration Validate password and store only secure password hash.
    Login Compare submitted password using secure password verification.
    Password Reset Use temporary reset link or code instead of sending old password.
    Admin Account Require stronger protection such as MFA.
    Logging Log login events without logging passwords.

    Student-Friendly Example: Student Portal Password Handling

    Student Portal Password Rules:
    
    Registration:
    - Student creates password.
    - System validates password.
    - System stores secure password hash.
    
    Login:
    - Student enters password.
    - System verifies password against stored hash.
    - System creates secure session.
    
    Forgot Password:
    - Student requests reset.
    - System sends temporary reset link or code.
    - Student creates new password.
    - System stores new password hash.

    Example: Bad Password Storage

    FUNCTION registerUser(email, password)
        SAVE email and password in database
        RETURN "Registration successful"
    END FUNCTION

    This is unsafe because it stores the readable password directly.

    Example: Improved Password Storage Concept

    FUNCTION registerUser(email, password)
        IF email is empty OR password is empty THEN
            RETURN "Invalid registration details"
        END IF
    
        IF password does not meet password rules THEN
            RETURN "Password does not meet requirements"
        END IF
    
        passwordHash = SECURE_PASSWORD_HASH(password)
    
        SAVE email and passwordHash in database
    
        RETURN "Registration successful"
    END FUNCTION

    This version stores a password hash instead of the original password.

    Example: Password Login Verification Concept

    FUNCTION loginUser(email, password)
        IF email is empty OR password is empty THEN
            RETURN "Invalid username or password"
        END IF
    
        userAccount = FIND account by email
    
        IF userAccount does not exist THEN
            RETURN "Invalid username or password"
        END IF
    
        IF VERIFY_PASSWORD(password, userAccount.passwordHash) is false THEN
            RETURN "Invalid username or password"
        END IF
    
        CREATE secure session
    
        RETURN "Login successful"
    END FUNCTION

    This version uses a generic error message and verifies the password against the stored hash.

    Password Handling Checklist

    Before Finalizing Password Logic, Ask:

    • Are passwords never stored as plain text?
    • Is a trusted password hashing method used?
    • Is a unique salt used for each password?
    • Are passwords excluded from logs?
    • Are credentials not hardcoded in source code?
    • Are login error messages generic?
    • Are repeated login attempts monitored or controlled?
    • Does the password reset process avoid sending old passwords?
    • Do reset links or codes expire?
    • Is MFA used for sensitive accounts where appropriate?
    • Are password-related features tested with normal and invalid scenarios?

    Common Beginner Mistakes

    Mistakes

    • Storing passwords in plain text.
    • Using simple or fast hashing for password storage.
    • Not using unique salts.
    • Logging passwords during debugging.
    • Sending passwords by email.
    • Using hardcoded admin credentials.
    • Showing whether username or password was wrong.
    • Allowing unlimited login attempts.
    • Creating password reset links that never expire.
    • Not using MFA for sensitive accounts.

    Better Habits

    • Store only secure password hashes.
    • Use trusted password hashing libraries.
    • Use salts properly.
    • Never log passwords.
    • Use safe password reset flows.
    • Keep secrets outside source code.
    • Use generic login failure messages.
    • Monitor suspicious login behavior.
    • Expire reset links or codes.
    • Use MFA for higher-risk accounts.

    Best Practices for Password Handling

    Recommended Practices

    • Never store plain-text passwords.
    • Use secure password hashing algorithms through trusted libraries.
    • Use a unique salt for each password.
    • Consider peppering as defense in depth when supported by system design.
    • Validate password input during registration and reset.
    • Encourage long, unique passwords or passphrases.
    • Do not log passwords or sensitive credentials.
    • Do not hardcode credentials in source code.
    • Use generic login failure messages.
    • Protect against repeated login guessing attempts.
    • Use secure password reset links or codes.
    • Expire password reset links or codes.
    • Use MFA for sensitive or privileged accounts.
    • Review password logic during security-focused code review.
    • Test registration, login, reset, and password update scenarios.

    Prerequisites Before Learning Password Handling

    Students should understand the following topics before learning password handling deeply:

    Required Knowledge

    • Basic programming syntax.
    • Variables and strings.
    • Conditional statements.
    • Functions or methods.
    • Input validation.
    • Authentication basics.
    • Secure programming practices.
    • Basic database concepts.
    • Basic session or token concept.

    Trace Table Example: Password Login

    FUNCTION loginUser(email, password)
        IF email is empty OR password is empty THEN
            RETURN "Invalid username or password"
        END IF
    
        userAccount = FIND account by email
    
        IF userAccount does not exist THEN
            RETURN "Invalid username or password"
        END IF
    
        IF VERIFY_PASSWORD(password, userAccount.passwordHash) is false THEN
            RETURN "Invalid username or password"
        END IF
    
        RETURN "Login successful"
    END FUNCTION
    Test Case Scenario Expected Result
    TC_001 Valid email and correct password Login successful
    TC_002 Valid email and wrong password Invalid username or password
    TC_003 Unknown email Invalid username or password
    TC_004 Empty email Invalid username or password
    TC_005 Empty password Invalid username or password

    Practice Activity: Improve Password Handling

    Improve the following pseudocode by applying secure password handling practices.

    FUNCTION register(email, password)
        SAVE email
        SAVE password
        RETURN "User registered"
    END FUNCTION

    Sample Improved Version

    FUNCTION register(email, password)
        IF email is empty OR password is empty THEN
            RETURN "Invalid registration details"
        END IF
    
        IF password does not meet password rules THEN
            RETURN "Password does not meet requirements"
        END IF
    
        passwordHash = SECURE_PASSWORD_HASH(password)
    
        SAVE email
        SAVE passwordHash
    
        RETURN "User registered"
    END FUNCTION

    Practice Test Cases

    Test Case Scenario Expected Output
    TC_001 Valid email and valid password User registered
    TC_002 Empty email Invalid registration details
    TC_003 Empty password Invalid registration details
    TC_004 Password does not meet rules Password does not meet requirements
    TC_005 Check database after registration Password hash is stored, not plain password

    Mini Quiz

    1

    What is password handling?

    Password handling is the process of safely collecting, verifying, storing, resetting, updating, and protecting passwords.

    2

    Should passwords be stored as plain text?

    No. Passwords should never be stored as plain text.

    3

    What is password hashing?

    Password hashing converts a password into a one-way stored value used for verification.

    4

    What is a salt?

    A salt is a unique random value added to a password before hashing so identical passwords do not produce identical hashes.

    5

    Why should login error messages be generic?

    Generic login error messages avoid revealing whether the username or password was wrong.

    Interview Questions on Password Handling Basics

    1

    Why is password handling important?

    Password handling is important because passwords protect accounts and sensitive data, and poor handling can lead to account compromise.

    2

    What is the difference between hashing and encryption for passwords?

    Hashing is one-way and is used for password verification, while encryption is reversible and generally not preferred for password storage.

    3

    Why are salts used in password hashing?

    Salts make password hashes unique and help protect against precomputed lookup attacks.

    4

    Why should passwords not be logged?

    Passwords should not be logged because logs may be accessed, copied, shared, or exposed during debugging or incidents.

    5

    What is a secure password reset habit?

    A secure password reset habit is to use a temporary, expiring reset link or code instead of sending the old password.

    Quick Summary

    Concept Meaning
    Password Handling Safely managing passwords through registration, login, reset, update, and storage.
    Plain-Text Password A readable password stored directly; this should be avoided.
    Password Hashing One-way transformation used to verify passwords without storing originals.
    Salt Unique random value added before hashing each password.
    Pepper Additional protected secret used as defense in depth.
    Password Reset Secure process for allowing users to create a new password.
    MFA Extra authentication factor that protects accounts beyond passwords.
    Generic Error Message Safe login failure message that does not reveal which credential was wrong.

    Final Takeaway

    Password handling is a critical part of secure programming. Students should remember that passwords must never be stored as plain text, should be protected with secure hashing and unique salts, should never appear in logs, and should never be hardcoded in source code. Secure applications should also use safe login messages, protect against repeated guessing attempts, support secure password reset flows, and use MFA for sensitive accounts. Good password handling protects users, data, and the reputation of the application.