The System Design Newsletter

The System Design Newsletter

Share this post

The System Design Newsletter
The System Design Newsletter
How Databases Keep Passwords Securely 🔒
Copy link
Facebook
Email
Notes
More
User's avatar
Discover more from The System Design Newsletter
Weekly newsletter to help busy engineers become good at system design
Over 148,000 subscribers
Already have an account? Sign in

How Databases Keep Passwords Securely 🔒

#61: Break Into Security Fundamentals (3 Minutes)

Neo Kim's avatar
Neo Kim
Nov 18, 2024
261

Share this post

The System Design Newsletter
The System Design Newsletter
How Databases Keep Passwords Securely 🔒
Copy link
Facebook
Email
Notes
More
8
16
Share

Get the powerful template to approach system design for FREE on newsletter sign-up:


This post outlines how the database stores passwords securely. You will find references at the bottom of this page if you want to go deeper.

  • Share this post & I'll send you some rewards for the referrals.

Note: This post is based on my research and may differ from real-world implementation.

Once upon a time, there lived a junior software engineer.

He worked for a tech company named Hooli.

Although he was bright, he never got promoted.

So he was sad and frustrated.

How to Store Passwords in Database

Until one day, he had the idea to apply for a new job.

And the interviewer asked him 1 simple question,

“How to securely store passwords in the database?”.

Yet he failed to answer and the interview was over in 5 minutes.

So he studied it later to fill the knowledge gap.

Onward.


Reach 100,000+ Readers With an Ad in This Newsletter

system design newsletter

I'm opening ad slots in this newsletter, so I can scale + improve its quality.

Also I'll make it easier for you than running an ad campaign on social networks.

So if you want to reach a fresh audience in the tech community, you may want to sponsor this newsletter.

Sponsor this newsletter


How to Store Passwords in Database

He failed the interview so you don’t have to.

And here’s how you can answer it:

1. Hashing

A hacker can retrieve the passwords easily if they’re stored in plaintext form.

So they transform the password using a hash function.

Hash Function Transforming a Password
Hash Function Transforming a Password

A hash function creates a unique string value from a password - fingerprint. Also the transformation is one-sided. Put simply, it’s impossible to find the password from a fingerprint.

A popular choice for the hash function is bcrypt because: (1) it’s slow. (2) it needs a ton of computing power. (3) it needs a lot of memory. Thus making it difficult to run many password-cracking attempts for the hacker.

Hashing Explained With an Analogy
Hashing Explained With an Analogy

Think of the hash function as mixing colors - it’s difficult to find the original colors from the new color.

Workflow for Hashing a Password
Workflow for Hashing a Password

Here’s how it works:

  • The server generates a fingerprint from the given password when the user creates an account.

  • The password isn’t stored in the database, instead the fingerprint is.

  • The fingerprint is regenerated whenever the user enters the password.

The regenerated fingerprint gets compared against the value in the database. And the user is given access only if the values are equal.

Ready for the best part?

2. Salting

A hacker might crack the password from the fingerprint using a rainbow table.

So they add salt to the password.

Rainbow Table
Rainbow Table

Think of the rainbow table as a map between pre-computed fingerprints and passwords.

While salt is a random string.

Adding Salt to the Password to Create a Unique Fingerprint
Adding Salt to the Password to Create a Unique Fingerprint

And each user gets a unique salt, thus generating different fingerprints. Put simply, 2 users with the same password will have different fingerprints.

Also the rainbow table wouldn’t work after salting because of unique fingerprints. It invalidates the pre-computed values in the rainbow table.

Workflow for Salting a Password
Workflow for Salting a Password

Here’s what happens when the user creates an account:

  • The server creates a unique salt for the user.

  • The server combines the salt with the given password and hashes it.

They store the salt alongside the fingerprint in the database.

Workflow for Validating the Password
Workflow for Validating the Password

Here’s what happens when the user enters a password:

  • The server retrieves the salt for the specific user from the database.

  • The server combines the entered password with salt to generate a fingerprint.

The server checks if the fingerprints are the same.

Ready for the next technique?

3. Stretching

The hacker might do a brute force attack to crack the password.

Imagine brute forcing as trying out all number combinations on a number lock.

So they do stretching.

How Key Stretching Works
How Key Stretching Works

Think of stretching as applying the same hash function many times. Thus brute forcing becomes slower and more difficult.


systemdesignone
A post shared by @systemdesignone

A randomly generated password is always more secure. (Also keep it over 12 characters.)

It’ll slow down the hacker, and make it difficult to crack the password.


👋 PS - Are you unhappy at your current job?

And preparing for system design interviews to get your dream job can be stressful.

Don't worry, I'm working on content to help you pass the system design interview. I'll make it easier - you spend only a few minutes each week to go from 0 to 1. Yet paid subscription fees will be higher than current pledge fees.

So pledge now to get access at a lower price.

“An easy-to-understand view of complex real-world architectures.” Fran


Subscribe to get simplified case studies delivered straight to your inbox:


Author Neo Kim; System design case studies
Follow me on LinkedIn | YouTube | Threads | Twitter | Instagram | Bluesky

Thank you for supporting this newsletter. Consider sharing this post with your friends and get rewards. Y’all are the best.

system design newsletter

Share


How Google Ads Was Able to Support 4.77 Billion Users With a SQL Database 🔥

How Google Ads Was Able to Support 4.77 Billion Users With a SQL Database 🔥

Neo Kim
·
November 9, 2024
Read full story
How Amazon S3 Works ✨

How Amazon S3 Works ✨

Neo Kim
·
October 25, 2024
Read full story


References

  • The definitive guide to form-based website authentication

  • Password Storage Cheat Sheet

  • Hash function

  • Salt (cryptography)

  • How to store salt?

  • bcrypt

  • Rainbow table

  • Key stretching

  • Block diagrams created with Eraser

Avinash Ranjan Saha's avatar
Namrata Khade's avatar
Dhruva Agrawal's avatar
Gabriel Anyosa's avatar
ROBIUL HOSSEIN's avatar
261 Likes∙
16 Restacks
261

Share this post

The System Design Newsletter
The System Design Newsletter
How Databases Keep Passwords Securely 🔒
Copy link
Facebook
Email
Notes
More
8
16
Share

Discussion about this post

User's avatar
sravan's avatar
sravan
Nov 18

How would you able to compare the passwords if you hash out them with the salt? hashing a one way

Expand full comment
Like (2)
Reply
Share
1 reply by Neo Kim
Aram Tchekrekjian's avatar
Aram Tchekrekjian
Nov 25

Amazing read Neo, easy and direct to the point. Nice visuals as well. Good job.

Expand full comment
Like (1)
Reply
Share
1 reply by Neo Kim
6 more comments...
8 Reasons Why WhatsApp Was Able to Support 50 Billion Messages a Day With Only 32 Engineers
#1: Learn More - Awesome WhatsApp Engineering (6 minutes)
Aug 27, 2023 • 
Neo Kim
732

Share this post

The System Design Newsletter
The System Design Newsletter
8 Reasons Why WhatsApp Was Able to Support 50 Billion Messages a Day With Only 32 Engineers
Copy link
Facebook
Email
Notes
More
24
How PayPal Was Able to Support a Billion Transactions per Day With Only 8 Virtual Machines
#30: Learn More - Awesome PayPal Engineering (4 minutes)
Dec 26, 2023 • 
Neo Kim
238

Share this post

The System Design Newsletter
The System Design Newsletter
How PayPal Was Able to Support a Billion Transactions per Day With Only 8 Virtual Machines
Copy link
Facebook
Email
Notes
More
14
How Stripe Prevents Double Payment Using Idempotent API
#45: A Simple Introduction to Idempotent API (4 minutes)
May 9, 2024 • 
Neo Kim
379

Share this post

The System Design Newsletter
The System Design Newsletter
How Stripe Prevents Double Payment Using Idempotent API
Copy link
Facebook
Email
Notes
More
29

Ready for more?

© 2025 Neo Kim
Publisher Privacy
Substack
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.