[NetSec] Keeping Authentication Tokens Safe

An authentication token should not be left as it is in the database; that’s common sense. But, applying a heavy hashing algorithm to secure it, also doesn’t make much sense.

Why?

Authentication token, if it is created properly (128bits etc), is already very secure by itself. And by its nature, it doesn’t contain any username and password information; it is just a randomly generated string. This is actually the number one benefit why we use auth tokens instead of username and passwords; no need to enter or pass any credentials, only the auth token itself is enough to authenticate the user.

So, for the purpose of securing the auth token with hashing in the database, no need to use a strong, CPU-killer algorithm as the token itself is already secure enough by itself.

In short;

  • An authentication token is not a hashed credential.
  • If an authentication token is created properly, it is very secure by itself.
  • Keeping a token in a database as it is, is dangerous. It must be hashed.
  • Using a strong hashing algorithm is unnecessary and it consumes a lot of CPU cycles.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s