How Your Passwords Are Stored On The Internet

How Your Passwords Are Stored On The Internet

Between LinkedIn, Dreamhost and other prominent sites that have been hacked recently, you’ve probably been thinking about your online security lately. But what does it actually mean when one of these sites get hacked, and how can you protect yourself? Here’s how your passwords are stored on the internet, and what it means for you when a website you used is breached.

Title image remixed from Palsur.

There are a number of ways a site can store your password, and some are considerably more secure than others. Here’s a quick rundown of the most popular methods, and what they mean for the security of your data.

Method One: Plain Text Passwords

How It Works: The simplest way a site can store your password is in plain text. That means somewhere on a their server, there exists a database with your username and password in it in a human-readable form (that is, if your password is testing123, it is stored in the database as testing123). When you enter your credentials on the site, it checks them against the database to see if they match. This is the worst possible method, in security terms, and most reputable web sites do not store passwords in plain text. If someone hacks this database, everyone’s password is immediately compromised.

Does My Strong Password Matter? No way. No matter how long or strong your password may be, if it’s stored in plain text and the site gets hacked, your password is easily accessible to anyone, no work required.

Method Two: Basic Password Encryption

How It Works: To add more protection to your password than plain text provides, most sites encrypt your password before they store it on their servers. Encryption, for those of you that don’t know, uses a special key to turn your password into a random string of text. If a hacker were to get hold of this random string of text, they wouldn’t be able to log into your account unless they also had the key, which they could then use to decrypt it.

The problem is, the key is often stored on the very same server that the passwords are, so if the servers get hacked, a hacker doesn’t have to do much work to decrypt all the passwords, which means this method is still wildly insecure.

Does My Strong Password Matter? No. Since it’s easy to decrypt the password database with a key, your strong password won’t make a difference here either.

Method Three: Hashed Passwords

How It Works: Hashed is similar to encryption in the sense that it turns your password into a long string of letters and numbers to keep it hidden. However, unlike encryption, hashing is a one way street: If you have the hash, you can’t run the algorithm backwards to get the original password. This means a hacker would have to obtain the hashes and then try a number of different password combinations to see which ones worked.

However, there is a downside to this method. While a hacker can’t decode a hash back to the original password, they can try many different passwords until one matches the hash they have. Computers can do this very fast, and with the help of something called rainbow tables — which is essentially a list of trillions of different hashes and their matching passwords — they can just look up the hash to see if it’s already been discovered. Try typing e38ad214943daad1d64c102faec29de4afe9da3d into Google. You’ll quickly find that it’s the SHA-1 hash for “password1”. For more information on how rainbow tables work, check out this article by coding guru Jeff Atwood on the subject.

Does My Strong Password Matter? In this case, yes. Rainbow tables are made up of passwords that have already been tested against hashes, which means the really weak ones will be cracked very quickly. Their biggest weakness, however, isn’t complexity, but length. You’re better off using a very long password (like XKCD’s famous “correct horse battery staple”) rather than a short, complex one (like kj$fsDl#).

Method Four: Hashed Passwords with a Dash of Salt

How It Works: Salting a hash means adding a random string of characters — called a “salt” — to the beginning or end of your password before hashing it. It uses a different salt for each password, and even if the salts are stored on the same servers, it will make it very hard to find those salted hashes in the rainbow tables, since each one is long, complex, and unique. LinkedIn is famous for not using salted hashes, which brought them under a lot of scrutiny after their recent hack — had they used salts, their users would have been safer.

Does My Strong Password Matter? Certainly! Unfortunately, however, we’ve reached a point where computers are so fast that many are able to brute force even salted hashes. It can take a very long time — certainly longer than using rainbow tables — but it’s still doable. This means the strength of your password still matters, since the longer and more complex it is, the longer it will take to crack in a brute force attack.

Method Five: Slow Hashes

How It Works: Right now, most security experts are pointing to slower hashes as the best option for storing passwords. Hash functions like MD5, SHA-1 and SHA-256 are relatively fast: if you type in a password, it will return the results fairly quickly. In a brute force attack, time is the most important factor. By using a slower hash — like the bcrypt algorithm — brute force attacks take much, much longer, since each password takes more time to compute.

Does My Strong Password Matter? Again, since strong passwords are harder to brute force, a strong password can definitely help you out here. If your password is strong, it could take a very, very long time to discover with a slow hash.

How Can You Avoid Having Your Password Leaked?

So what does all this mean for you? Here is what you should take away from this information:

  1. Don’t use services with bad security. While you can’t control how a company stores your password, you can control what services you sign up for. You should never sign up for a service that uses plain text or encryption to store your passwords, because they’re much more vulnerable to being compromised. A good way to find out what they use, according to web service CloudFare, is to click the “lost password” link. If it sends you your password in an email, that means they can access the password itself and it isn’t hashed — and it’s likely stored using one of the less secure methods. Of course, you can always email them and ask, or check their FAQ to see if they’ve volunteered that information.
  2. Use a strong password: As we’ve shown you above, the stronger your password is, the less likely it is that someone will be able to crack it and use it quickly. Length is more important than complexity. Remember: any password is crackable, you just want it to take as long as possible. Which brings me to our last point:
  3. Always change your password after a breach: Even if your password is strong, that doesn’t mean it’s invulnerable to cracking — it just means that it’s likely to take very, very long. Those with weak passwords may have already had their account compromised by the time they realise the leak has happened, but if your password takes days to crack, you have time to change it and make your old password useless by the time they figure it out.
  4. Use a different password for every site: If you use a different password for every account you have, then those accounts will stay safe even if one of your online accounts gets compromised. If you were to use the same password for every site, one site’s breach can mean a whole world of trouble for you.
  5. Use OAuth if you’re unsure about a site’s security: We’ve talked about OAuth before, the protocol that lets you log in using your Google, Facebook, or Twitter account. If you don’t know how secure a site is, and it offers you the option of using OAuth, go for it — Google, Facebook and Twitter are likely to have better security, and if the site is breached, you can just revoke its access to your Google, Facebook or Twitter account.


    • No, The salt is usually different for each password and stored next to the HASH in the DB. Hacker getting the salt does not really matter even getting the HASH and SALT.
      HashFunction(“password’+SALT)=HASH The important thing is you can’t go from the HASH to the password, for a given HASH you can’t figure out the password.
      So what a hacker needs to do is try every password value (might as well start with a dictionary), and they could save the results to a data base for later use (this database is called a rainbow table). If you get some ones hash you can then look it up and get a valid password (something that would hash to the same value maybe not the same password). Generation of a rainbow table takes a long time and a hacker needs to create one rainbow table for each SALT. No salt means one rainbow table for all passwords, salt means one rainbow table for each salt.
      Ideally a site should do this
      HashFunction(“password’+SALT+SiteSALT , Iterations)=HASH
      HashFunction= function to perform the HASH
      SALT = random salt, one for each password stored in DB next to HASH.
      SiteSALT = Fixed salt for the site, stored in config file or maybe had coded in code.
      Iterations = take the output and re hash many times so creating those rainbow tables takes a long time.

  • Thanks for the breakdown Whitson,

    What I would like to know if the cost differential for a company on each of the methods? As in, are they being lazy or budget conscious with their choices of password security?

    • As a computer programmer I can say it is probably more a case of ignorance or laziness.
      It isn’t very hard to code for one method over another – usually there are free libraries already coded that do it for you – the programmer just has to call one library instead of another.
      The issue may also be one of legacy code. If you have created your company software using an easy hash. Then upgrading a million+ users to the new hash scheme can be difficult.
      Most companies are also arrogant and assume they aren’t going to get hacked.

  • For point 5 (using OAuth), if the 3rd party site in question is breached, will the intruder then have your Google / Facebook / Twitter password thus having access to your ‘master’ account?

    • The other way around, actually. If your Facebook password is breached, the intruder will have access to any site you use OAuth on. But with lots of bigger sites offering better security, OAuth and a long password are still great things to have.

      And just so you know, if a third party site is breached, your password is never compromised with OAuth. When you use OAuth to sign in (in this example, Facebook as the OAuth provider), the 3rd party site (TPS) tells Facebook what info it wants to get. Usually it’s email address, first and last name. If the TPS is breached, all it can get is what it originally asked for (email, first and last names). Your password is never stored with the TPS, just a unique ID that tells the TPS that it can get some limited info. If the TPS is breached, you go into Facebook, revoke the OAuth permission and hey presto, when the hacker tries to use your OAuth unique ID, it’ll get told Access Denied.

      Hope that makes sense!

Show more comments

Log in to comment on this story!