Paper 2015/387

Method to Protect Passwords in Databases for Web Applications

Scott Contini


Trying to make it more difficult to hack passwords has a long history. However the research community has not addressed the change of context from traditional Unix mainframe systems to web applications which face new threats (DoS) and have fewer constraints (client-side computation is allowed). In absence of updated guidance, a variety of solutions are scattered all over the web, from amateur to somewhat professional. However, even the best references have issues such as incomplete details, misuse of terminology, assertion of requirements that are not adequately justified, and too many options presented to the developer, opening the door to potential mistakes. The purpose of this research note is to present a solution with complete details and a concise summary of the requirements, and to provide a solution that developers can readily implement with confidence, assuming that the solution is endorsed by the research community. The proposed solution involves client-side processing of a heavy computation in combination with a server-side hash computation. It follows a similar approach to a few other proposals on the web, but is more complete and justified than any that we found.

Available format(s)
Publication info
Preprint. MINOR revision.
Contact author(s)
thegreatcontini @ fastmail fm
2015-04-29: received
Short URL
Creative Commons Attribution


      author = {Scott Contini},
      title = {Method to Protect Passwords in Databases for Web Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2015/387},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.