If your application deals with user accounts, it has to deal with passwords. Storing passwords in plain text would be a bad idea; a data breach could allow an attacker access to every account. The obvious answer is to encrypt the passwords. However, using cryptography without understanding could give you a false sense of security—if you make the inappropriate choice, you could make things easier for an attacker without realizing it. This article will focus on getting you up to speed with the best ways to use cryptography to secure passwords.
When you browse a secure web site or API whose address starts with “https,” what makes the site secure? The site uses a special certificate, provided by a trusted Certificate Authority (CA), to prove that it is legitimate. Until recently, IT shops had to pay for these certificates and generate them manually.
In the last few years, Let’s Encrypt has earned the thanks of technology professionals. Let’s Encrypt, a CA run for the public’s benefit, offers certificates at no charge, along with scripts to generate and regenerate certificates as needed, reducing the effort of keeping certificates up to date, and keeping sites secure.