Storage and retrieval of passwords is an important aspect of the process of authentication. One might ask: "how is storage and retrieval related to authentication?". Password is used (in combination with login/user name, pin or smart card) for authentication. Hence, if passwords are not stored and retrieved in a secure way, they are not helping the process of authentication. Insecure storage and retrieval could give any user, the privilege to access the stored password. This means that anyone can authenticate as your or me, to sign into our email accounts, websites, database, etc., which is definitely not good for us.
There are several ways to store and retrieve passwords. To simplify this, we would look at it as two different methods based on where it is getting stored:
In each of the above method, there are two forms in which they could be stored:
Plain text is something like what you are reading right now, which is "clear text". Cipher text on the other hand is where, an algorithm is implemented in the form of tools to convert plain text to cipher text. In other words, cipher text is the encrypted password. These days, attackers and crackers in the wild has the most powerful tools and processing power for cracking passwords to gain unauthorized access. That being the case, plain text is ruled out of the option of secure storage. There are couple of protocols that send everything in plain text on the wire/across the network. They are File Transfer Protocol [FTP, uses 21/TCP for command channel] and Telnet (uses 23/TCP). On the other hand, Secure Shell [SSH, uses 22/TCP] uses encrypted channel to transfer packets across the network. Hence, even if you store the password online or on a remote box after encrypting it and if you choose to use an unencrypted channel/protocol to transfer the password on the wire, then you are still in trouble of password being snooped/tapped. This is why storage and retrieval is really important, when it comes to passwords and hence we chose to allocate space and time to discuss on this. More about storage and retrieval [types, tools and techniques] could be found in the "Theory" section of Password Analytics, under "Storage 102".
