There has been alot of discussions around password security and how many websites are very unsecure in how they store your password in databases, many don’t even use hash or encryption but rather store them in plain text. I will now try to explain in simple terms the technology behind password storage for websites and what to look out for as a user to raise awareness about this.

Have you ever heard words like “hash” or “salt” and wondered what they mean? Just click to read more.

 

The safest way to store password are considered to be to only store a “hash” of the password. Hash is sort of a fingerprint of a textstring, which is unique to that string. The most common hash method is called MD5, there are others more secure ones too.

MD5(“password”) = “5f4dcc3b5aa765d61d8327deb882cf99”

So the string stored in the database for the password “password” would be the above fingerprint. To check if user has entered the correct password, the website simply has to compare the MD5 fingerprint of the password he/she entered with the fingerprint stored in the database, if they match, the passwords match also.

You cannot reverse a hash into the password, the only way to get the password from a hash is to compare it with another hash generated with the same method, which means you have to use “brute force” or a dictionary to check millions and millions of strings to see if their fingerprint match with yours. Mind that it’s not very hard or timeconsuming to crack passwords by simply testing every possible combination of characters if the password is less than 8 characters and does not contain special characters.

This is why many programmers also add “salts” to their hashes to make the password more secure. Salt is a set of characters that can be either static for all users, or even better, unique and randomized for each user. If the salt is static and two users have the same password they will also have the same hash. Adding salt basically adds characters to the password, increasing the string length and complexity, like this:

MD5(“password+salt”) = “d0e89799b1a7f3cf4202610eeb489758”

By using more complex setups of hashes and salts it becomes even more secure:

MD5(“password”) + MD5(“$aLT-1234”) = “eb1bce1e6a6680ec918e6860be4fafd8”
or
MD5(MD5(“password”) + MD5(“$aLT-1234”)) = “f0944a6035f76b14cf084d90694a1b20”

This last method can be considered pretty secure since the fingerprint stored in the database is not the fingerprint of the password, but rather the fingerprint of the fingerprint of the password combined with the fingerprint of a dynamic salt. This is something that the programmer of the website must think about, but now you have an idea of how it can work behind the scenes.

So how do you know your password is safe on the websites you’re registered on? Well, one simple thing I look out for is their “forgot your password”-function. If you use that, and get a mail with your old password in plain text back, it’s very likely that they are storing it in plain text, atleast they are not using hash. You should get a new randomly generated password back in the mail, that’s no guarantee that the site is using hash though, but it’s likely.

Ofcourse, it is always recommended to use different passwords at each website, also try not to use any words that could exist in a dictionary, even if you combine it with numbers. It’s also important to add numbers and special characters to your password, by adding characters like “#$.-@” etc to your password and keeping it above 8 characters in length, it becomes very timeconsuming and much harder to crack.

I have left out some of the more technical issues in this text, perhaps I will write a second part to this text later, but these are the basics. Feel free to comment or ask anything in the blog.