Yaya ya kamata a ajiye da kula da kalmar sirri cikin karfi?

Question

Accepted Answer

Kalmomin sirri dole ne a ajiye su cikin karfi — **ba a ajiye su cikin rubutu mai faɗi ba**, amma **hash** tare da karfin, jajere, salted password-hashing algorithm (bcrypt, Argon2, scrypt). Dace da kalmar sirri dole ne gida ne saboda kalmomin sirri sunataccen yawa sosai kuma suna haɗa jiya.

## Kada a ajiye rubutu mai faɗi; hash dace

```text
❌ NEVER store passwords in plaintext (a breach exposes all passwords directly)
❌ Don't use fast/general hashes (MD5, SHA-256) alone — too fast → easily brute-forced
✅ HASH with a dedicated PASSWORD HASHING algorithm: BCRYPT, ARGON2, or scrypt:
  → SLOW by design (resistant to brute-force/GPU cracking)
  → SALTED (a unique random salt per password) → prevents rainbow-table attacks and
    identical passwords hashing the same
```

```js
// hashing with bcrypt (handles salting automatically)
const hash = await bcrypt.hash(password, 12);   // store the hash (with salt + cost)
// verifying at login
const valid = await bcrypt.compare(inputPassword, storedHash);   // compare securely
```

## Me ya sa waɗannan algorithms

```text
SALT → unique random value per password → identical passwords get DIFFERENT hashes;
  defeats precomputed (rainbow table) attacks
SLOW (work factor) → deliberately expensive to compute → brute-forcing millions of
  guesses becomes impractical (tunable cost factor as hardware improves)
→ bcrypt/Argon2/scrypt are designed for passwords; general hashes (SHA) are NOT.
```

## Sauran ayyukan kalmar sirri

```text
✓ Enforce reasonable strength (length over complexity); check against breached-password lists
✓ MULTI-FACTOR authentication (MFA) → strong protection even if a password leaks
✓ HTTPS for transmission; rate-limit / lock out brute-force login attempts
✓ Secure password RESET (time-limited tokens); never email passwords; never log them
```

## Me ya sa ya matuwa

Wanene kalmar sirri mai karfi da kula yana yin muhimmi domin **kalmomin sirri sunataccen yawa sosai kuma suna haɗa jiya**, kuma kalmar sirri marasa karfi ita ce zama-balagu, akai yawa, saboda haka ita dole ne a sani karfi na kalmar sirri.

Jamiyyun dace dole ne a ciki: **kada a ajiye kalmomin sirri cikin rubutu mai faɗi** (kalmar sirri da ta yatso da kowa — haɗi ne na gajiya), kuma **kada a dogara kan mabilis gaida hash** (MD5, SHA-256) waɗanda suna mabuyawa kuma masu amfani da amfani.

Maɗa, **hash tare da algorithms na ajiye kalmar sirri da aka taɓa** (bcrypt, Argon2, scrypt) waɗanda suke **jajere ta aikin** (ruguje ga jajere kuma GPU cracking) kuma **salted** (salo na musamman na random ga kowannen kalmar sirri, hana rainbow-table attacks kuma tabbatar da kalmomin kalmar sirri duwafa duwafa hashes).
"