I have recently been studying a lot on writing secure code and choosing secure methods for saving passwords to a database. I'm wondering if it's secure to use ready made libraries or APIs to do this for me. How can I verify the integrity of those APIs?
-
1this may be better suited at InfoSec as it isn't about cryptography. As far as the libraries go: Either source is signed (PGP) or binary (DLL/EXE) is signed (certificate / PGP). Ready made libraries should be more secure than your own code, because the authors of the libraries usually had security in mind while writing the code. I don't see security issues with APIs, as either they're there or they aren't... – SEJPM Jul 14 '15 at 12:43
2 Answers
You didn't provide too much details, so in general:
One of the biggest risks in using cryptography is its inappropriate use, leading to several security vulnerabilities, eg. private key leak, known plaintext attack etc.
Unless you're an cryptography expert (and you don't seem like one), it's generally wise to use APIs of the highest possible level, that yet suits your needs. Such APIs are probably tested better than your application, so it is less chance for inappropriate use of cryptography in an API, than in your application.
This especially concerns topics like saving user passwords in a secure way (preventing attackers from being able to use rainbow tables in case they get table dump).
- 1,456
- 12
- 13
There are several standard algorythm used for hashing passwords securely (PBKDF2, BCrypt, SCrypt. See this question for more details).
As for using a library for this, you can do it but you need to take into consideration how the code has been audited. Well-known and maintained open source libraries can usually be used pretty safely.