Password Handling Basics
Password Handling Basics
Learn how to handle passwords safely using validation, secure storage, hashing, salting, reset flows, login protection, and secure coding habits.
Introduction
Password handling means managing passwords safely throughout their life cycle: registration, login, storage, reset, update, verification, and account protection.
Passwords are one of the most common ways users prove their identity. Because passwords protect accounts and private data, developers must handle them carefully.
A secure application should never store plain-text passwords, never expose passwords in logs, never send passwords carelessly, and never hardcode credentials in source code.
Easy Real-Life Example
Password Handling as Protecting a Locker Key
Imagine a locker key. If anyone gets the key, they can open the locker. So, you do not leave the key openly on a table. You protect it, avoid sharing it, and use extra security when needed.
Locker Security:
- Do not leave key openly
- Do not share key carelessly
- Use strong lock
- Change lock if key is lost
- Add extra security for valuable items
Password Security:
- Do not store plain-text passwords
- Do not expose passwords in logs
- Use secure password hashing
- Support password reset safely
- Use MFA for sensitive accounts
Passwords are like digital keys. If they are handled poorly, accounts and data become unsafe.
What is Password Handling?
Password handling is the set of practices used to safely collect, verify, store, reset, update, and protect passwords.
It includes both user-facing behavior and backend security controls.
Why Password Handling is Important
Passwords protect user accounts. If passwords are handled incorrectly, attackers may gain access to private information, admin features, financial data, student records, or business systems.
Password Handling Helps To
- Protect user accounts.
- Reduce risk from database leaks.
- Prevent plain-text password exposure.
- Support secure authentication.
- Reduce account takeover risk.
- Improve user trust.
- Protect sensitive application features.
- Support security-focused development practices.
What Can Go Wrong with Poor Password Handling?
Poor Password Handling
- Passwords are stored as plain text.
- Passwords are printed in logs.
- Passwords are sent through unsafe channels.
- Hardcoded admin credentials are used.
- Password reset links never expire.
- Weak passwords are accepted without control.
- Unlimited login attempts are allowed.
- Password values are exposed in error messages.
Secure Password Handling
- Passwords are never stored as plain text.
- Passwords are stored using secure hashing.
- Each password gets a unique salt.
- Sensitive values are not logged.
- Reset links expire and are single-use.
- Login attempts are monitored and controlled.
- Generic login error messages are used.
- MFA is used for extra protection when needed.
Principle 1: Never Store Plain-Text Passwords
Plain-text password storage means saving the actual readable password in a database or file.
This is extremely unsafe because anyone who gains database access can read all passwords directly.
Bad Practice
username: "student01"
password: "MyPassword123"
Better Practice
username: "student01"
passwordHash: "stored_secure_password_hash"
The system should store a secure password hash, not the original password.
Principle 2: Use Password Hashing
Hashing converts a password into a fixed output value using a one-way process.
One-way means the application should not be able to convert the hash back into the original password.
User password:
MyPassword123
Hashing process:
MyPassword123 → secure hash value
Database stores:
secure hash value
During login, the entered password is processed again and compared with the stored hash.
Password Verification Flow
Registration:
1. User creates password.
2. System validates password.
3. System hashes password using secure password hashing.
4. System stores the password hash.
Login:
1. User enters password.
2. System hashes the entered password.
3. System compares it with stored password hash.
4. If they match, authentication succeeds.
Hashing vs Encryption
Hashing and encryption are different. Students must understand this difference clearly.
| Hashing | Encryption |
|---|---|
| One-way process. | Two-way process. |
| Original password should not be recoverable. | Original data can be recovered with a key. |
| Best for password storage. | Best for data that must be read again later. |
| Used to verify passwords. | Used to protect readable data. |
Principle 3: Use Slow Password Hashing Algorithms
Password hashing should be intentionally slow enough to make guessing attacks more difficult.
General fast hash functions are not ideal for password storage because attackers can try many guesses quickly.
Password Hashing Algorithm Examples
- Argon2id.
- bcrypt.
- PBKDF2.
- scrypt.
In real projects, developers should use trusted libraries and framework-supported password hashing functions instead of creating custom password hashing logic.
Principle 4: Use Salt
A salt is a unique random value added to each password before hashing.
Salting helps ensure that two users with the same password do not have the same stored hash.
User A password:
Password123
User A salt:
randomSaltA
User A hash:
HASH(Password123 + randomSaltA)
User B password:
Password123
User B salt:
randomSaltB
User B hash:
HASH(Password123 + randomSaltB)
Even though both users used the same password, their stored hashes become different because their salts are different.
Principle 5: Understand Pepper
A pepper is an additional secret value used with password hashing as defense in depth.
Unlike a salt, which is usually stored with the password hash, a pepper should be protected separately in a secure configuration or secrets management system.
Principle 6: Validate Password Input
Password fields should be validated during registration, login, password update, and reset.
Password Input Checks
- Password should not be empty.
- Password should meet minimum length rules.
- Password should not be an extremely common password.
- Password confirmation should match during registration or reset.
- Password field should not be logged or displayed.
- Password should be transmitted through secure channels.
Principle 7: Encourage Strong Passwords
Strong passwords reduce the chance of successful guessing attacks.
Modern password guidance often favors longer passwords and passphrases instead of forcing confusing short patterns that users cannot remember.
| Weak Password Idea | Stronger Password Idea |
|---|---|
123456 |
A longer unique passphrase. |
password |
A unique password generated by a password manager. |
| Same password for many sites. | Different password for each account. |
Principle 8: Do Not Log Passwords
Logs are useful for debugging and monitoring, but passwords must never be written into logs.
Bad Logging
LOG "Login attempt: email=student@example.com password=MyPassword123"
Safer Logging
LOG "Login attempt failed for user identifier."
Log useful security events, but avoid storing secrets or sensitive values.
Principle 9: Never Hardcode Passwords
Hardcoding passwords means placing passwords directly inside source code.
Bad Practice
databasePassword = "AdminPassword123"
Better Practice
databasePassword = GET_SECRET("DATABASE_PASSWORD")
Credentials should be stored in secure configuration or secret management systems, not inside code.
Principle 10: Use Safe Login Error Messages
Login error messages should not reveal whether the username exists or whether only the password was wrong.
Unsafe Error Messages
"Email exists but password is wrong."
"User not found."
Safer Error Message
"Invalid username or password."
A generic error message gives less useful information to attackers.
Password Reset Basics
Password reset is a sensitive feature because it can be misused to take over accounts.
Secure Password Reset Habits
- Do not send the existing password to the user.
- Use a temporary reset link or verification code.
- Make reset links or codes expire.
- Make reset links or codes single-use where possible.
- Do not reveal whether the email exists.
- Notify the user after password reset.
- Require the new password to be securely stored as a hash.
Bad Reset Flow
User clicks "Forgot Password"
System emails the old password to the user
Better Reset Flow
User clicks "Forgot Password"
System sends temporary reset link
User creates a new password
System hashes and stores the new password
Reset link becomes invalid
Passwords and MFA
Passwords can be stolen, guessed, reused, or leaked. Multi-Factor Authentication, or MFA, adds another layer of protection.
Password-only login:
User enters password.
MFA login:
User enters password.
User also verifies using OTP, authenticator app, security key, or another factor.
MFA is especially useful for admin accounts, sensitive applications, financial operations, and high-risk actions.
Login Attempt Protection
Password systems should be protected from repeated guessing.
Protection Ideas
- Detect repeated failed login attempts.
- Slow down repeated attempts where appropriate.
- Monitor suspicious login behavior.
- Use MFA for high-risk accounts.
- Notify users about suspicious activity when appropriate.
- Log authentication failures safely without logging passwords.
Password Handling and Sessions
After a user successfully logs in, the application usually creates a session or token.
The password should not be repeatedly stored or sent with every request. Instead, the application should use secure session or token handling after authentication.
Good flow:
1. User enters password during login.
2. Password is verified.
3. Secure session or token is created.
4. Future requests use the session or token.
5. Password is not sent again with every request.
Real-World Example: E-Commerce Password Handling
| Feature | Secure Password Handling Practice |
|---|---|
| Registration | Validate password and store only secure password hash. |
| Login | Compare submitted password using secure password verification. |
| Password Reset | Use temporary reset link or code instead of sending old password. |
| Admin Account | Require stronger protection such as MFA. |
| Logging | Log login events without logging passwords. |
Student-Friendly Example: Student Portal Password Handling
Student Portal Password Rules:
Registration:
- Student creates password.
- System validates password.
- System stores secure password hash.
Login:
- Student enters password.
- System verifies password against stored hash.
- System creates secure session.
Forgot Password:
- Student requests reset.
- System sends temporary reset link or code.
- Student creates new password.
- System stores new password hash.
Example: Bad Password Storage
FUNCTION registerUser(email, password)
SAVE email and password in database
RETURN "Registration successful"
END FUNCTION
This is unsafe because it stores the readable password directly.
Example: Improved Password Storage Concept
FUNCTION registerUser(email, password)
IF email is empty OR password is empty THEN
RETURN "Invalid registration details"
END IF
IF password does not meet password rules THEN
RETURN "Password does not meet requirements"
END IF
passwordHash = SECURE_PASSWORD_HASH(password)
SAVE email and passwordHash in database
RETURN "Registration successful"
END FUNCTION
This version stores a password hash instead of the original password.
Example: Password Login Verification Concept
FUNCTION loginUser(email, password)
IF email is empty OR password is empty THEN
RETURN "Invalid username or password"
END IF
userAccount = FIND account by email
IF userAccount does not exist THEN
RETURN "Invalid username or password"
END IF
IF VERIFY_PASSWORD(password, userAccount.passwordHash) is false THEN
RETURN "Invalid username or password"
END IF
CREATE secure session
RETURN "Login successful"
END FUNCTION
This version uses a generic error message and verifies the password against the stored hash.
Password Handling Checklist
Before Finalizing Password Logic, Ask:
- Are passwords never stored as plain text?
- Is a trusted password hashing method used?
- Is a unique salt used for each password?
- Are passwords excluded from logs?
- Are credentials not hardcoded in source code?
- Are login error messages generic?
- Are repeated login attempts monitored or controlled?
- Does the password reset process avoid sending old passwords?
- Do reset links or codes expire?
- Is MFA used for sensitive accounts where appropriate?
- Are password-related features tested with normal and invalid scenarios?
Common Beginner Mistakes
Mistakes
- Storing passwords in plain text.
- Using simple or fast hashing for password storage.
- Not using unique salts.
- Logging passwords during debugging.
- Sending passwords by email.
- Using hardcoded admin credentials.
- Showing whether username or password was wrong.
- Allowing unlimited login attempts.
- Creating password reset links that never expire.
- Not using MFA for sensitive accounts.
Better Habits
- Store only secure password hashes.
- Use trusted password hashing libraries.
- Use salts properly.
- Never log passwords.
- Use safe password reset flows.
- Keep secrets outside source code.
- Use generic login failure messages.
- Monitor suspicious login behavior.
- Expire reset links or codes.
- Use MFA for higher-risk accounts.
Best Practices for Password Handling
Recommended Practices
- Never store plain-text passwords.
- Use secure password hashing algorithms through trusted libraries.
- Use a unique salt for each password.
- Consider peppering as defense in depth when supported by system design.
- Validate password input during registration and reset.
- Encourage long, unique passwords or passphrases.
- Do not log passwords or sensitive credentials.
- Do not hardcode credentials in source code.
- Use generic login failure messages.
- Protect against repeated login guessing attempts.
- Use secure password reset links or codes.
- Expire password reset links or codes.
- Use MFA for sensitive or privileged accounts.
- Review password logic during security-focused code review.
- Test registration, login, reset, and password update scenarios.
Prerequisites Before Learning Password Handling
Students should understand the following topics before learning password handling deeply:
Required Knowledge
- Basic programming syntax.
- Variables and strings.
- Conditional statements.
- Functions or methods.
- Input validation.
- Authentication basics.
- Secure programming practices.
- Basic database concepts.
- Basic session or token concept.
Trace Table Example: Password Login
FUNCTION loginUser(email, password)
IF email is empty OR password is empty THEN
RETURN "Invalid username or password"
END IF
userAccount = FIND account by email
IF userAccount does not exist THEN
RETURN "Invalid username or password"
END IF
IF VERIFY_PASSWORD(password, userAccount.passwordHash) is false THEN
RETURN "Invalid username or password"
END IF
RETURN "Login successful"
END FUNCTION
| Test Case | Scenario | Expected Result |
|---|---|---|
| TC_001 | Valid email and correct password | Login successful |
| TC_002 | Valid email and wrong password | Invalid username or password |
| TC_003 | Unknown email | Invalid username or password |
| TC_004 | Empty email | Invalid username or password |
| TC_005 | Empty password | Invalid username or password |
Practice Activity: Improve Password Handling
Improve the following pseudocode by applying secure password handling practices.
FUNCTION register(email, password)
SAVE email
SAVE password
RETURN "User registered"
END FUNCTION
Sample Improved Version
FUNCTION register(email, password)
IF email is empty OR password is empty THEN
RETURN "Invalid registration details"
END IF
IF password does not meet password rules THEN
RETURN "Password does not meet requirements"
END IF
passwordHash = SECURE_PASSWORD_HASH(password)
SAVE email
SAVE passwordHash
RETURN "User registered"
END FUNCTION
Practice Test Cases
| Test Case | Scenario | Expected Output |
|---|---|---|
| TC_001 | Valid email and valid password | User registered |
| TC_002 | Empty email | Invalid registration details |
| TC_003 | Empty password | Invalid registration details |
| TC_004 | Password does not meet rules | Password does not meet requirements |
| TC_005 | Check database after registration | Password hash is stored, not plain password |
Mini Quiz
What is password handling?
Password handling is the process of safely collecting, verifying, storing, resetting, updating, and protecting passwords.
Should passwords be stored as plain text?
No. Passwords should never be stored as plain text.
What is password hashing?
Password hashing converts a password into a one-way stored value used for verification.
What is a salt?
A salt is a unique random value added to a password before hashing so identical passwords do not produce identical hashes.
Why should login error messages be generic?
Generic login error messages avoid revealing whether the username or password was wrong.
Interview Questions on Password Handling Basics
Why is password handling important?
Password handling is important because passwords protect accounts and sensitive data, and poor handling can lead to account compromise.
What is the difference between hashing and encryption for passwords?
Hashing is one-way and is used for password verification, while encryption is reversible and generally not preferred for password storage.
Why are salts used in password hashing?
Salts make password hashes unique and help protect against precomputed lookup attacks.
Why should passwords not be logged?
Passwords should not be logged because logs may be accessed, copied, shared, or exposed during debugging or incidents.
What is a secure password reset habit?
A secure password reset habit is to use a temporary, expiring reset link or code instead of sending the old password.
Quick Summary
| Concept | Meaning |
|---|---|
| Password Handling | Safely managing passwords through registration, login, reset, update, and storage. |
| Plain-Text Password | A readable password stored directly; this should be avoided. |
| Password Hashing | One-way transformation used to verify passwords without storing originals. |
| Salt | Unique random value added before hashing each password. |
| Pepper | Additional protected secret used as defense in depth. |
| Password Reset | Secure process for allowing users to create a new password. |
| MFA | Extra authentication factor that protects accounts beyond passwords. |
| Generic Error Message | Safe login failure message that does not reveal which credential was wrong. |
Final Takeaway
Password handling is a critical part of secure programming. Students should remember that passwords must never be stored as plain text, should be protected with secure hashing and unique salts, should never appear in logs, and should never be hardcoded in source code. Secure applications should also use safe login messages, protect against repeated guessing attempts, support secure password reset flows, and use MFA for sensitive accounts. Good password handling protects users, data, and the reputation of the application.