How your passwords are stored and why you should care

Software developersSo, you have spent time and thinking to create a strong password. It is composed of many characters, letters, numbers and symbols. You think that it is undiscoverable unless somebody tortures you to death… Well, all this clever diligence goes up in smoke if you use your password on an online service that stores it in plain text. This leaves your password vulnerable if the site is hacked or, even easier, if an unethical employee takes your password and runs with it.

Websites use several methods to store passwords. Depending on the age of the website and the skills of its developers, passwords are stored with various degrees of security. The first and most vulnerable method is visible in plain text. In this case, each time you login, your username and password are checked against the database records. If the site is hacked or if somebody with the right access level queries the database, she or he can see all passwords and usernames in plain text. The length and strength of the passwords do not matter. Passwords are compromised.

A second method used to store passwords is reversible encrypted. In this case, passwords are stored encrypted. When a user logs into the system, the password is decrypted using a reversible encryption key. The two passwords are compared and if similar, you are logged in. This method is not safe either. If the encryption key is compromised, passwords can be decrypted and visualised in plain text. This method does not give much more protection than the plain text method.

A better method is hashing passwords before storing them in a database. In this case, passwords are encrypted in a way that makes it very difficult or nearly impossible to decrypt. The encrypted result is stored. When a user logs in, the entered password is encrypted or hashed. The result is compared with the database record. If they are similar, the user is authorised to log in.

Hashing principle diagramThe hash function is very specific and is very difficult or impossible to reverse. However, with the constant and exponential increase in computer power, hackers are able to discover simple hashed passwords using pairs of passwords and results. Consequently the hashing techniques used a few years ago, are no longer safe.

These days hashing is often combined with other techniques like salt hashing or slow hashing. It is the same principle as using hash functions, but with some tweaks.

Why don’t all websites use these latest hashing methods? It really comes down to the ability of website developers to use a robust and current method for processing and storing passwords. If software developers are not aware of the last encryption best practice, or if the website is old, you are more likely to see passwords stored in plain text or reversible encryption.

How do I know if an online service stores passwords securely? Unless you review the source code of the website, it is hard to know. However, there is one easy indication that your password is not stored securely: an online service that sends your password in an email, does not store passwords securely. Bad practices are often exposed when you forget your password and you request it through the “I forget my password” link. If the service sends your password in an email in plain text, then the service uses bad password storing practices.  You should run away from these online services.

Plain Text Offenders website screenshotHow many websites use bad password storing practices? Many more than you would think. A website has been created to expose bad practices. I recommend visiting http://plaintextoffenders.com/. Everyday new websites are exposed and amongst them are some very well known brands. They are only the tip of the iceberg.

So, when you start using a new service and are not sure of their security practices, use a different password than the one you regularly use for other online services. That way, if your password is compromised, it will not be used anywhere else. Also, if you receive an email with your password in plain text, take a screenshot of the email and publish it to Plain Text Offenders.