Technology Explained

Every Secure Website Does This With Your Password

Ben Stegner 13-11-2015

We’ve talked plenty about passwords Everything You Need To Know About Passwords Passwords are important and most people don't know enough about them. How do you choose a strong password, use a unique password everywhere, and remember them all? How do you secure your accounts? How do... Read More , especially how to create an unbreakable one 6 Tips For Creating An Unbreakable Password That You Can Remember If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch. Read More , but have you ever wondered how websites keep these passwords safe from malicious folk? After all, only the worst websites actually store passwords in plain text.


They do it using a process called hashing, which takes a series of characters and transforms it into something completely different. This is really easy to do in one direction, but trying to reverse it is next to impossible.

Confused? That’s okay. It’ll become clear in a few seconds.


For example, you might have a password examplepass, but websites don’t literally store “examplepass” in their databases. Rather, they run it through a hash function that transform it into a different series of characters, such as 6XF$#14Az@Q, and this is what they store.

So if someone broke into the databases of Facebook or YouTube, they would have a hard time cracking your password. Even though examplepass hashes into 6XF$#14Az@Q, it doesn’t work the other way around.


So, when you type your password into Facebook, the website doesn’t say “The user typed examplepass. Is this their password?” because that would be horribly insecure. Instead, the website hashes your password and checks it against its database of hashed passwords.

If it matches hash with hash, then it determines that you entered the right password.

This explains why “Forgot Password” links behave as they do. Websites can’t just email you your password because they don’t know what it is! Instead, they reset your password with a temporary one or ask you to set a new one so that they can update the record they have for you.

If you ever get an email with your password in plain text, the sender’s site is insecure and you should seriously reconsider dealing with them. Anyone keeping your password in plain text is just asking for trouble. Check out Plain Text Offenders for examples of this.

Did you know how passwords are stored? Have you ever been emailed a password? Let us know your experience below!

Image Credit: Maxx-Studio via

Related topics: Online Security, Password.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. flyup
    December 13, 2015 at 4:57 pm

    The password needs to become a relic. The responsibility of controlling our digital value (think bitcoin) are dependent upon a new paradigm in security. Biometrics? The future of our digital lives depends on strong (nearly unbreakable) encryption. Unless you want to give this responsibility to the government or some massive centralized authority? Down with passwords!

    • Ben Stegner
      December 14, 2015 at 5:26 pm

      I pretty much agree with you. Passwords are a pain because most people don't bother to create strong ones, or remember the ones they do have. This leads to all the problems we have now...

      I guess the only downside to biometrics at this point is the cost, but that should change in the future.

  2. Martin Jane?ek
    November 14, 2015 at 10:16 am

    In fact, this kind of hashing is good maybe for integrity checks (see md5). For passwords it is better to use slower hashing algorithm that returns different hash every time for same password.

    Password verification is then done by selecting user from database and passing his stored password hash as a salt to same algorithm, which then is able to compute same hash and compare them. This way your database hashes are safe against rainbow tables and it would take much longer to brute force even one password (based on complexity of hashing algorithm).

  3. Anonymous
    November 13, 2015 at 11:09 pm

    I normally add a pre-written special string to the end of a password and then then stick it through an MD4 hash. It would be pretty rare to guess a password that matches the result.

    • Anonymous
      November 15, 2015 at 12:59 am

      MD4, MD5, and other simple hashes are easy to crack. Recent versions of SHA (SHA512, SHA1024) are better, as are individual salts for each password. People who *really* want to crack your passwords won't resort to one pass - they'll run thousands of guesses against your password list, using GPU software to accelerate things by millions of tries per second. They're also using "rainbow tables" - lists of common words like "password" and "unicorn", combining them to try passwords like "password123" and "unicorn_bob". Your best bet is to use random passwords like "_rCx7p*gj$" using as many characters as you can, and (on the backend), salting and hashing as many passes of a strong hash as you can (say, 1024 passes of SHA512, 500 passes of SHA1024, or as much hash encryption as you can provide) to create the stored passkey.

  4. Jamoe
    November 13, 2015 at 3:00 pm

    Also, hashing without salting is just a step above plaintext. This because, based on a given hash, a password will always return the same hash. So people have built rainbow tables, which are huge lists that show the hash for a large combination of possible passwords.

  5. Anonymous
    November 13, 2015 at 9:37 am

    Also, and although it happens rarely it can happen, 2 passwords can sometimes hash to the exact same values.

  6. Anonymous
    November 13, 2015 at 9:36 am

    I like how you say 'Every secure website does this with your password', that's like saying 'Every car on the planet takes petrol', both statements are simply not true.

    May I recommend you reading the blog where he likes to post about websites that even though they say they are 'https' and the padlock says they are, they still store your password in plaintext...

    • Anonymous
      November 13, 2015 at 1:06 pm

      Just using https doesn't implicitly mean the website is secure..

    • Fik of borg
      November 14, 2015 at 1:21 am

      It may be possible that by "secure website" the author meant "safe website" and not "website that uses https"