Let\'s take a chat system, where any user can create a channel with a password p
ID: 660865 • Letter: L
Question
Let's take a chat system, where any user can create a channel with a password protection. Thus, other users may only join using the channel password.
This password is therefore known to every person inside the channel.
Should this password be hashed in the database? This would mean that the application is not able to show the password (e.g., if one user forgot it).
Personally, I don't see a reason why the password should be hashed, because when setting the password, it's absolutely clear that other people will need to know it.
Explanation / Answer
Then why bother storing the password at all, just let anyone in! ;)
If you are storing a secret, it's because this secret identifies a subset of your total users. Not all your potential users know it. Now, you've probably been told that passwords must be stored hashed and salted. This is a password you're dealing with. I'll let you draw the logical conclusion.
Maybe the same group uses it to access a SharePoint which occasionally contains sensitive information. Maybe they use it for their group calendar which reveals when their office is empty or when they travel away from home. Maybe the person who created an account was so out of clue she used a password otherwise valuable to her personal assets. Maybe they just can't deal with the amount of credentials they have to handle and that alone explains the reuse.
Don't be the person who's responsible for causing harm to others out of sheer negligence. Hash them (with a slow password hashing algorithm). Salt them (with a unique salt per password).
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.