It’s a significant decision on how to persist the user passwords when developing a software solution, that is, a decision to encrypt or hash passwords at rest.
- To encrypt passwords at rest supports the software feature, “retrieve password.” Users can “retrieve” or query the original password if they forgot the password. Why supporting users to retrieve passwords? It’s because resetting passwords is more cumbersome and costly than retrieving passwords. If your target users are not tech-savvy, resetting passwords may be a nightmare. Supporting password reset requests may frustrate your customer support team. Besides, DBAs have access to the credentials; they may be “technically” capable of decrypting them even if they are not authorized to do so.
- To hash passwords at rest requires the feature, “reset password.” The hashed password can not be “decrypted” or can not be “retrieved” because the password is not stored but its “hash.”