{"id":514,"date":"2021-11-11T09:00:51","date_gmt":"2021-11-11T08:00:51","guid":{"rendered":"https:\/\/infosecscout.com\/?p=514"},"modified":"2023-11-22T13:00:12","modified_gmt":"2023-11-22T12:00:12","slug":"how-are-passwords-stored","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/how-are-passwords-stored\/","title":{"rendered":"How Are Passwords Stored? (5 Methods Used by Developers)"},"content":{"rendered":"\n<p>On each website where you enter your password, the website owner has to keep it in a way or another so that it can check your identity the next time you log in. Do you wonder how they memorize your password? Is it safe? I&#8217;ll answer your questions in this article.<\/p>\n\n\n\n<p><strong>Developers have several methods they can use to store the password associated with an account. In most cases, they used a hashing algorithm to protect it, but other options are still used like plain text, encryption and other variants.<\/strong><\/p>\n\n\n\n<p>Keep reading if you want to learn more on this topic, we&#8217;ll see the 5 most popular ways to store passwords used by web developers currently.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/#Plain_Text\" title=\"Plain Text\">Plain Text<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/#Basic_Encryption\" title=\"Basic Encryption\">Basic Encryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/#Hashed_Password\" title=\"Hashed Password\">Hashed Password<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/#Hashed_Password_with_a_Dash_Of_Salt\" title=\"Hashed Password with a Dash Of Salt\">Hashed Password with a Dash Of Salt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/how-are-passwords-stored\/#Slow_Hashes\" title=\"Slow Hashes\">Slow Hashes<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Plain_Text\"><\/span>Plain Text<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>The simplest way a site stores users&#8217; passwords on their server is in plain text. This means that on their server, there is a database with your password and username contained in it, in an easily human-readable format. <\/strong><\/p>\n\n\n\n<p>With plain text storage, your password and username appear exactly the way you entered them into your account. When you enter your credentials, it checks the database to see if they match. <\/p>\n\n\n\n<p>For example, if your password is Anderson1990#, it is stored exactly this way in the server of a website that you have account which uses plain text storage. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"450\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/password-plain-text.jpg\" alt=\"\" class=\"wp-image-515\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/password-plain-text.jpg 800w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/password-plain-text-300x169.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/password-plain-text-768x432.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure><\/div>\n\n\n\n<p>Plain text storage offers the least level of security for\u00a0 your password. If the database is hacked, all users&#8217; passwords stored there is compromised, as the hacker will have complete access to them. <\/p>\n\n\n\n<p>Hopefully, this is no longer the most popular methods to store passwords, I will now give you other examples.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Basic_Encryption\"><\/span>Basic Encryption<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>To secure your password in a better way than plain text, most websites and database systems encrypts your password before storing it in their servers. Encryption involves using a special key to convert your password into a unique, random string of text. <\/strong><\/p>\n\n\n\n<p>If a hacker compromised the server and got hold of your encrypted password, he or she would not be able to log into your account unless the person also has the key to decrypt it. <\/p>\n\n\n\n<p>The challenge with basic encryption is that the key, in most cases, is also stored in the same server that the passwords are. This means that if the server is hacked, the hacker won&#8217;t have much difficulty decrypting the encrypted passwords.<\/p>\n\n\n\n<p>So, that&#8217;s still not the best way, and also not the most popular currently, let&#8217;s see the next one.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hashed_Password\"><\/span>Hashed Password<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Hashed password storage method is similar to encryption because it converts your passwords to a long string of numbers and letters to keep them hidden. However, unlike encryption, it is one-way traffic. <\/p>\n\n\n\n<p>If a hacker or someone else gets the hash, the person cannot reverse the algorithm backwards to get the original password. This requires that a hacker get the hashes and then try a number of password combinations to see which one works (that&#8217;s what I explain here: <a href=\"https:\/\/infosecscout.com\/how-to-brute-force-a-password\/\" data-type=\"post\" data-id=\"56\" target=\"_blank\" rel=\"noreferrer noopener\">the brute-force method<\/a>). <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"1000\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords.jpg\" alt=\"\" class=\"wp-image-450\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords.jpg 1000w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-300x300.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-150x150.jpg 150w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/06\/time-to-crack-passwords-768x768.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure><\/div>\n\n\n\n<p>The problem with this method is that, though a hacker can&#8217;t decode a password from the hash, the hacker can try many different passwords until a match is found. With a computer and program such as <a href=\"https:\/\/infosecscout.com\/what-is-a-rainbow-table\/\" data-type=\"post\" data-id=\"472\" target=\"_blank\" rel=\"noreferrer noopener\">Rainbow Tables<\/a>, a hacker can do this very fast. A Rainbow Table is a list of trillions of varying hashes and their passwords. In this instance, using a long password could make it difficult for hackers to crack the hash.<\/p>\n\n\n\n<p><a href=\"https:\/\/infosecscout.com\/md5-vs-sha256\/\" data-type=\"post\" data-id=\"365\" target=\"_blank\" rel=\"noreferrer noopener\">Some algorithms are better than other<\/a>, but as a whole, there is not a 100% safe way to use this method to store passwords.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hashed_Password_with_a_Dash_Of_Salt\"><\/span>Hashed Password with a Dash Of Salt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong><a href=\"https:\/\/infosecscout.com\/md5-salt-hash\/\" data-type=\"post\" data-id=\"42\" target=\"_blank\" rel=\"noreferrer noopener\">Hashed password with a dash of salt<\/a> is a method that adds a random string of characters called &#8220;salt&#8221; to the beginning or the end of your password before hashing it. This method uses a different salt for each password. <\/strong><\/p>\n\n\n\n<p>Even if the salts are stored in the same server, it is difficult for hackers or someone else to find the salted hashes in the Rainbow Table. This is due to the fact that each salted hash is unique, complex and long. <\/p>\n\n\n\n<p>However, this method offers far more security than the previous ones and is more difficult to crack. Hackers could use brute force to try to compromise this method, and it is not impossible. Though far more time-consuming and difficult.<\/p>\n\n\n\n<p><a href=\"https:\/\/infosecscout.com\/how-to-brute-force-a-password\/\" data-type=\"post\" data-id=\"56\" target=\"_blank\" rel=\"noreferrer noopener\">A brute force attack<\/a> is an attack in which cybercriminals meticulously try to log into an account using every imaginable combination of characters until they get the correct password. A longer, more complex password makes brute force attacks more difficult.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Slow_Hashes\"><\/span>Slow Hashes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>For hashes to be secure and robust, it needs to be slow. A slow hash password storage method makes the calculation of the hash slow to compute by using many internal iterations. The goal of the slow hash method is to make the trouble or difficulty of breaking the hash exceed the benefit that hackers would gain even if the hack were successful.<\/strong><\/p>\n\n\n\n<p>To hack a slow-hashed password database using brute force attack, time is of the essence and great importance. Slow hashes make it extremely difficult to carry out.<\/p>\n\n\n\n<p>Hashing refers to splitting or chopping something into small pieces to appear as a sort of confusing mess. In computing, the hash function is a mathematical algorithm that maps data or information of varying sizes to a fixed size string. <\/p>\n\n\n\n<p>The function input is referred to as &#8220;message&#8221; or just input. While the output of the fixed string is referred to as the hash or message digest. Some generally used hash algorithms include Message Digest (MDx) algorithm, <a href=\"https:\/\/infosecscout.com\/where-is-md5-used\/\" data-type=\"post\" data-id=\"467\" target=\"_blank\" rel=\"noreferrer noopener\">MD5 <\/a>and Secure Hash Algorithm (SHA), <a href=\"https:\/\/infosecscout.com\/difference-md5-sha1\/\" data-type=\"post\" data-id=\"116\" target=\"_blank\" rel=\"noreferrer noopener\">SHA-1<\/a>, SHA-2 and <a href=\"https:\/\/infosecscout.com\/md5-vs-sha256\/\" data-type=\"post\" data-id=\"365\" target=\"_blank\" rel=\"noreferrer noopener\">SHA-256<\/a>.<\/p>\n\n\n\n<p>To keep your password safely, passwords managers are also using other strategies, like :<\/p>\n\n\n\n<ul><li>Cloud-based password managers<\/li><li>Cloud-based with two-factor authentication.<\/li><li>Computer-based<\/li><li>USB based.<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>On each website where you enter your password, the website owner has to keep it in a way or another so that it can check your identity the next time you log in. Do you wonder how they memorize your password? Is it safe? I&#8217;ll answer your questions in this article. Developers have several methods&#8230;<\/p>\n","protected":false},"author":1,"featured_media":518,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/11\/how-are-passwords-stored-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":0,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/514"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=514"}],"version-history":[{"count":2,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/514\/revisions"}],"predecessor-version":[{"id":517,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/514\/revisions\/517"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/518"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}