Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Do Websites Store Passwords Securely?

//
In reading your excellent article, “How Can a Hacker Try All Possible Passwords If Systems Block the Login Attempts?” I still don’t understand. Even if a hacker has stolen the user database of logins and hashes, how can they duplicate the method of hash creation used by any particular website? I would think different websites would use different hash creation formulas.

You would think.

That’s what makes it so frustrating when these attacks end up being successful.

The problem is that security is often an afterthought. In fact, it’s often not thought of in any deep sense until after a successful attack.

The good news is, there’s something simple you can do about it.

Become a Patron of Ask Leo! and go ad-free!

Anatomy of a “poor” website

As discussed in that earlier article, websites do not (or, rather, should not), keep a record of your password. Instead, they “hash” the string of characters you provide as your password, and store that hash instead. When you log in, they hash the password you type in and compare the result with the hash they stored. If the hashes match, you must have typed in the correct password.

There are several standard hashing functions. For example, if we hash the password:

password

using the “sha256” hash, the result is:

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

And that’s exactly what a “poor” website might do: nothing more than a standard hash.

The problem is that anyone who hashes “password” using sha256 will get exactly the same result. There are several approaches that allow hackers to discover which hash algorithm was used and to reverse engineer many of the passwords in a stolen database.

Not good.

A “good” website adds salt

Let’s say you specify a password:

password

Passwordbut before hashing it, the website modifies it in some way. More specifically, it modifies it in a way unique to the website via a secret method. It could be as simple as adding a string to your password:

password-website-added-string

Now when that modified password is hashed using a standard hash algorithm, the result is quite different:

ecd4615720cd24c455cbf627243737c94cd1539f4c8903d664a36ef4992fbce8

Each time your password is entered, before calculating the hash, the website adds this unique information — called “salt” — to what you entered. As long as no one knows the salting string (or, more commonly, the salting algorithm, which is more complex than just adding a string) there’s no way to reverse engineer a stolen database of password hashes.1

When to be concerned

Whenever there’s a report of a user-account database breach, I look for information about exactly what that database contains. I look for one of three phrases:

  • Unencrypted passwords. This is horrible security because it represents no security. Hackers need do no work; the passwords are theirs for the taking. Change your password immediately.
  • Unsalted password hashes. This is the “bad” website scenario: the website designers made an attempt, but a poor one. Passwords are likely to be compromised in short order. Change your password as soon as you can.
  • Salted password hashes. This is the “good” scenario. When I hear this phrase or its equivalent, I worry much less. I’ll change my password, as salting can still be implemented poorly, but I won’t lose sleep if I can’t get to it right away. Hackers aren’t going to get in easily, if at all.

What you can do

Here’s the real problem: when it comes to security, there are good websites, bad websites, and horrible websites.

You have no way of knowing which is which — at least not until after a compromise.

There’s only one practical approach: assume they’re all horrible. Assume your password may someday be compromised.

In practice, that’s simply another reason for a basic rule of password security: use a different password on every site. That way, when one site gets compromised, your other accounts are not at additional risk as well.

In other words: keep doing what I hope you’re already doing.

Podcast audio

Play

Footnotes & references

1: This is an over-simplification. A properly secure password storage mechanism would use a different hashing function, for a variety of reasons, as well as a unique, random number as a salt. I found a good, more detailed rundown at Salted Password Hashing – Doing it Right.

13 comments on “How Do Websites Store Passwords Securely?”

  1. Leo, how about doing a piece about the security of password managers, both cloud-based and those that reside on your PC?

  2. You use the phrase “reverse engineer” regarding hash codes. That may make people think that the hackers can read the hash code and work their way backwards from it to get the initial password or phrase.
    My understanding is that the hash is a one way process and what they do is create a dictionary of common passwords (and all short ones) that they run through the hash process to see which one gives the matching hash code. With a salted hash, they will not find any matches unless they happen to also match the salt.

    Any site that can tell you what your “forgotten” password is should be avoided. That means that they store the actual password somewhere that can be hacked instead of only saving the hash of your password.

  3. Leo.. Thanks for all your messages answering the questions of your readers. On today’s subject, I would like to ask about my creating passwords that are really complex. How would I keep up with these new passwords – salted or not – ? They would be long and not easy to remember by myself. Where would a keep these long and complicated passwords. Thanks for your comments.

    • Use a password manager such as Keepass or LastPass. The first is a software program that you install on your PC. It stores your passcodes in an encrypted file locked with AES encryption, the gold standard of the industry. The latter is a browser extension that you add to your browser. It stores your passwords safely in the cloud, also encrypted with AES. I use both and find them both easy to use. I have hundreds of usernames and passwords for many different websites, encrypted volumes and so forth. All are very complex passcodes with 20 or more different character combinations. Nothing is truly bulletproof, of course, but I always follow best practices.

    • Not quite sure I understand your question. This whole concept of salting and such happens behind the scenes. You just create long, strong passwords, use different ones everywhere, consider using a password vault like Lastpass, and you’re good.

    • As Leo said, the salting happens behind the scenes. Ie. by the program that encrypts them. To keep your passwords protected by a salted hash, use a password manager, such as LastPass, which uses a salted hash to encrypt your passwords.

  4. Leo: I would assume the best of all practices is to install LastPass and let LastPass generate very strong passwords (20 characters or more) for each and every website that I use. That way even I would not know what the passwords were unless I were to download the CSV file into Excel as a backup. Is it better that I don’t know what the passwords are?

  5. Leo,
    Have you noticed that password managers are not working as well as they use to? What I mean is at some sites they will fill in the info, and others they don’t. I end up running 2 different PW managers at the same time hoping one will work. I believe this may be caused by web sites not catching up to the new web browsers. Same issue with the browsers. Normally run Fire Fox, then MS edge and one may work correctly. example, FF opens a page but doesn’t display the words, MS edge you click on a link, but nothing happens. Check out carts are always a crap soot. So I resort to using IE11. That browser just seems to work.

  6. Leo, you wrote:

       "Unencrypted passwords. This is horrible security because it represents no security. Hackers need do no work; the passwords are theirs for the taking. Change your password immediately."

    I am shocked, astounded dismayed, and ashamed, Leo, that you would give such idiotic advice!

    Folks, if you find evidence that a site is storing your password (or passphrase) unencrypted, DELETE YOUR ACCOUNT THERE AND DUMP THAT SITE AT ONCE — and DON’T use that same password/phrase anywhere else, EVER!

    But, ABOVE all, do NOT, as Leo here so mindlessly recommends, simply change you passphrase — the “new” one will be every bit as UNencrypted and vulnerable as the old one was!!! Yeesh!!!

    –Glenn P.

    • This is the full text of what Leo said about unencrypted passwords:

      Whenever there’s a report of a user-account database breach, I look for information about exactly what that database contains. I look for one of three phrases:
      Unencrypted passwords. This is horrible security because it represents no security. Hackers need do no work; the passwords are theirs for the taking. Change your password immediately.

      All he’s saying here is that if there has been a breach, the hackers have your password and you should change it.

      Of course, it’s best to switch to a website which uses a salted hash of your password but this isn’t always possible. And for that reason, the worst thing you can do is use the same email address password combination on more than one website.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.