Published on March 19th, 2017 | 1,095 views
How websites Store your Password in their Database
You’ve no doubt heard about all the sites that have gotten compromised in the last year(2016), but what happens when they do? Usually those hacker is after your username and password, but whether they can get it depend on how a site stores your passwords, as well as your password’s strength (weak password are much easier to crack than you think). After you’ve read up on those objectives, get started on protecting yourself with a good password managers, a different strong password for every site you use case, and backup plans in case someone gets into your accounts anyway.
Method One: Plain Text Passwords
How It Works: The simplest way a site can store your passwords is in plain text. That means somewhere on a their servers, there exists a databases with your username and password in it in a human-readable form (that is, if your password is
testing123, it is stored in the databases as
testing123). When you enter your credentials on the sites, it checks them against the database to see if they match. This is the worst possible methods, in security terms, and most reputable web sites do not store password in plain text. If someone hacks this database, everyone’s password is immediately compromised.
Does My Strong Password Matter? No way. No matter how long or strong your password may be, if it’s stored in plain texts and the site gets hacked, your passwords is easily accessible to anyone, no work required. It still matter in terms of hiding your password from, say, your friend, or others that could easily guess it, but it won’t make any difference if the site gets hacked.
Method Two: Basic Password Encryption
How It Works: To add more protection to your passwords than plain text provide, most site encrypt your passwords before they store it on their server. Encryption, for those of you that don’t know, use a special key to turn your passwords into a random string of text. If a hacker were to get hold of this random strings of text, they wouldn’t be able to log into your account unless they also had the keys, which they could then use to decrypt it.
The problem is, the keys is often stored on the very same server that the password are, so if the servers get hacked, a hacker doesn’t have to do much work to decrypt all the password, which means this method is still wildly insecure.
Does My Strong Password Matter? No. Since it’s easy to decrypt the password databases with a key, your strong password won’t make a difference here either. Again: this is in terms of the site getting hacked; if you have a nosy friends or family member rooting through your stuff, a strong passwords can help keep them from guessing it.
Method Three: Hashed Passwords
How It Works: Hashed is similar to encryption in the sense that it turns your passwords into a long string of letters and numbers to keep it hidden. However, unlike encryption, hashing is a one way street: If you have the hash, you can’t run the algorithm backward to get the original passwords. This means a hacker would have to obtain the hashes and then try a number of different password combination to see which ones worked.
However, there is a downside to this method. While a hacker can’t decode a hash back to the original password, they can try many different passwords until one matches the hash they have. Computers can do this very fast, and with the help of something called rainbow tables—which is essentially a list of trillions of different hashes and their matching passwords—they can just look up the hash to see if it’s already been discovered. Try typing
into Google. You’ll quickly find that it’s the MD5 hash for “Hello World”.