First presented at OWASP NZ 2020. https://owasp.org/www-event-2020-NewZealandDay/ Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds? Join me on this cooking-themed presentation on password storage! Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing? Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!