On each website where you enter your password, the website owner has to keep it in a way or another so that it can check your identity the next time you log in. Do you wonder how they memorize your password? Is it safe? I’ll answer your questions in this article.
Developers have several methods they can use to store the password associated with an account. In most cases, they used a hashing algorithm to protect it, but other options are still used like plain text, encryption and other variants.
Keep reading if you want to learn more on this topic, we’ll see the 5 most popular ways to store passwords used by web developers currently.
The simplest way a site stores users’ passwords on their server is in plain text. This means that on their server, there is a database with your password and username contained in it, in an easily human-readable format.
With plain text storage, your password and username appear exactly the way you entered them into your account. When you enter your credentials, it checks the database to see if they match.
For example, if your password is Anderson1990#, it is stored exactly this way in the server of a website that you have account which uses plain text storage.
Plain text storage offers the least level of security for your password. If the database is hacked, all users’ passwords stored there is compromised, as the hacker will have complete access to them.
Hopefully, this is no longer the most popular methods to store passwords, I will now give you other examples.
To secure your password in a better way than plain text, most websites and database systems encrypts your password before storing it in their servers. Encryption involves using a special key to convert your password into a unique, random string of text.
If a hacker compromised the server and got hold of your encrypted password, he or she would not be able to log into your account unless the person also has the key to decrypt it.
The challenge with basic encryption is that the key, in most cases, is also stored in the same server that the passwords are. This means that if the server is hacked, the hacker won’t have much difficulty decrypting the encrypted passwords.
So, that’s still not the best way, and also not the most popular currently, let’s see the next one.
Hashed password storage method is similar to encryption because it converts your passwords to a long string of numbers and letters to keep them hidden. However, unlike encryption, it is one-way traffic.
If a hacker or someone else gets the hash, the person cannot reverse the algorithm backwards to get the original password. This requires that a hacker get the hashes and then try a number of password combinations to see which one works (that’s what I explain here: the brute-force method).
The problem with this method is that, though a hacker can’t decode a password from the hash, the hacker can try many different passwords until a match is found. With a computer and program such as Rainbow Tables, a hacker can do this very fast. A Rainbow Table is a list of trillions of varying hashes and their passwords. In this instance, using a long password could make it difficult for hackers to crack the hash.
Some algorithms are better than other, but as a whole, there is not a 100% safe way to use this method to store passwords.
Hashed Password with a Dash Of Salt
Hashed password with a dash of salt is a method that adds a random string of characters called “salt” to the beginning or the end of your password before hashing it. This method uses a different salt for each password.
Even if the salts are stored in the same server, it is difficult for hackers or someone else to find the salted hashes in the Rainbow Table. This is due to the fact that each salted hash is unique, complex and long.
However, this method offers far more security than the previous ones and is more difficult to crack. Hackers could use brute force to try to compromise this method, and it is not impossible. Though far more time-consuming and difficult.
A brute force attack is an attack in which cybercriminals meticulously try to log into an account using every imaginable combination of characters until they get the correct password. A longer, more complex password makes brute force attacks more difficult.
For hashes to be secure and robust, it needs to be slow. A slow hash password storage method makes the calculation of the hash slow to compute by using many internal iterations. The goal of the slow hash method is to make the trouble or difficulty of breaking the hash exceed the benefit that hackers would gain even if the hack were successful.
To hack a slow-hashed password database using brute force attack, time is of the essence and great importance. Slow hashes make it extremely difficult to carry out.
Hashing refers to splitting or chopping something into small pieces to appear as a sort of confusing mess. In computing, the hash function is a mathematical algorithm that maps data or information of varying sizes to a fixed size string.
The function input is referred to as “message” or just input. While the output of the fixed string is referred to as the hash or message digest. Some generally used hash algorithms include Message Digest (MDx) algorithm, MD5 and Secure Hash Algorithm (SHA), SHA-1, SHA-2 and SHA-256.
To keep your password safely, passwords managers are also using other strategies, like :
- Cloud-based password managers
- Cloud-based with two-factor authentication.
- USB based.