How Do Websites Keep Your Passwords Secure?

Philip Bates 23-08-2016

We now rarely go a month without hearing about some sort of data breach; it might be an up-to-date service like Gmail Is Your Gmail Account Among 42 Million Leaked Credentials? Read More or something most of us have forgotten about, like MySpace Facebook Tracks Everybody, MySpace Got Hacked... [Tech News Digest] Facebook is tracking everybody across the Web, millions of MySpace credentials are up for sale, Amazon brings Alexa to your browser, No Man's Sky suffers a delay, and Pong Project takes shape. Read More .


Factor in our increasing awareness of the ways our private information is vacuumed up by Google Five Things Google Probably Knows About You Read More , social media (notably Facebook What Does Facebook Know About You? Why You Should Delete Facebook What does Facebook really know about you? One thing's for sure: if you want online privacy, Facebook is best avoided. Read More ), and even our very own smartphones What Is The Most Secure Mobile Operating System? Battling for the title of Most Secure Mobile OS, we have: Android, BlackBerry, Ubuntu, Windows Phone, and iOS. Which operating system is the best at holding its own against online attacks? Read More , and nobody can blame you for being a bit paranoid about how websites look after something as important as your password Everything You Need To Know About Passwords Passwords are important and most people don't know enough about them. How do you choose a strong password, use a unique password everywhere, and remember them all? How do you secure your accounts? How do... Read More .

In fact, for peace of mind, this is something everyone needs to know…

The Worst Case Scenario: Plain Text

Consider this: A major website has been hacked. Cybercriminals have broken through any basic security measures it takes, maybe taking advantage of a flaw in their architecture. You’re a customer. That site has stored your details. Thankfully, you’ve been assured your password is secure.


Except that site stores your password as plain text.


It was always a ticking bomb. Plain text passwords are just waiting to be plundered. They use no algorithm to make them unreadable. Hackers can read it as simply as you’re reading this sentence.

It’s a scary thought, isn’t it? It doesn’t matter how complex your password is, even if it’s pi to 30 digits: a plain text database is a list of everyone’s passwords, spelled out clearly, including whatever additional numbers and characters you use. Even if hackers don’t crack the site, would you really want admin to be able to see your confidential login details?

You might think this is a very rare problem, but an estimated 30% of eCommerce websites use this method to “secure” your data — in fact, there’s a whole blog dedicated to highlighting these offenders! Until last year, even the NHL stored passwords this way, as did Adobe before a major breach.


Shockingly, virus protection firm, McAfee also uses plain text.

An easy way of finding out if a site uses this is if, just after signing up, you receive an email from them listing your login details. Very dodgy. In that case, you might want to change any sites with that same password and contact the company to alert them that their security is worrying.

It doesn’t necessarily mean they do store them as plain text, but it’s a good indicator — and they really shouldn’t be sending that sort of thing in emails anyway. They may argue that they have firewalls et al. to protect against cybercriminals, but remind them that no system is flawless and dangle the prospect of losing customers in front of them.

They’ll soon change their mind. Hopefully…


Not as Good as It Sounds: Encryption

So what these sites do?

Many will turn to encryption. We’ve all heard about it: a seemingly-impervious way of scrambling your information, rendering it unreadable until two keys — one held by you (that’s your login details), and the other by the company in question — are presented. It’s a great idea, one that you should even implement on your smartphone 7 Reasons Why You Should Encrypt Your Smartphone Data Are you encrypting your device? All major smartphone operating systems offer device encryption, but should you use it? Here's why smartphone encryption is worthwhile, and won't affect the way you use your smartphone. Read More and other devices.


The internet runs on encryption: when you see HTTPS in the URL HTTPS Everywhere: Use HTTPS Instead of HTTP When Possible Read More , that means the site you’re on is using either the Secure Sockets Layer (SSL) What Is an SSL Certificate, and Do You Need One? Browsing the Internet can be scary when personal information is involved. Read More or Transport Layer Security (TLS) Protocols to verify connections and jumble up data How Web Browsing Is Becoming Even More Secure We have SSL certificates to thank for our security and privacy. But recent breaches and flaws may have dented your trust in the cryptographic protocol. Fortunately, SSL is adapting, being upgraded - here's how. Read More .


But despite what you may have heard Don't Believe These 5 Myths About Encryption! Encryption sounds complex, but is far more straightforward than most think. Nonetheless, you might feel a little too in-the-dark to make use of encryption, so let's bust some encryption myths! Read More , encryption isn’t perfect.

It should be safe, but it’s only as secure as where the keys are stored. If a website is protecting your key (i.e. password) using their own, a hacker could expose the latter in order to find the former and decrypt it. It would require comparatively little effort from a thief to find your password; that’s why key databases are a massive target.

Basically, if their key is stored on the same server as yours, your password might as well be in plain text. That’s why the aforementioned PlainTextOffenders site also lists services that use reversible encryption.

Surprisingly Simple (but Not Always Effective): Hashing


Now we’re getting somewhere. Hashing passwords sounds like nonsense jargon Tech Jargon: Learn 10 New Words Recently Added To The Dictionary [Weird & Wonderful Web] Technology is the source for many new words. If you are a geek and a word lover, you will love these ten that were added to the online version of the Oxford English Dictionary. Read More , but it’s simply a more secure form of encryption.

Instead of storing your password as plain text, a site runs it through a hash function, like MD5 What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More , Secure Hashing Algorithm (SHA)-1, or SHA-256, which transforms it into an entirely different set of digits; these can be numbers, letters, or any other characters. Your password could be IH3artMU0. That might turn into 7dVq$@ihT, and if a hacker broke into a database, that’s all they can see. And it works only one way. You can’t decode it back.

Unfortunately, it’s not that secure. It’s better than plain text, but it’s still fairly standard for cybercriminals. The key is that a specific password produces a specific hash. There’s a good reason for that: each time you log in with the password IH3artMU0, it automatically passes through that hash function and the website allows you access if that hash and the one in the site’s database match.

It also means that hackers have developed rainbow tables, a list of hashes, already used by others as passwords, that a sophisticated system can quickly run through as a brute-force attack What Are Brute Force Attacks and How Can You Protect Yourself? Yyou've probably heard the phrase "brute force attack." But what, exactly, does that mean? How does it work? And how can you protect yourself against it? Here's what you need to know. Read More . If you’ve picked a shockingly bad password 25 Passwords You Need to Avoid, Use WhatsApp for Free... [Tech News Digest] People keep using terrible passwords, WhatsApp is now completely free, AOL is considering changing its name, Valve approves of a fan-made Half-Life game, and The Boy With a Camera for a Face. Read More , that’ll be high on the rainbow tables and could be easily cracked; more obscure ones — particularly extensive combinations — will take longer.

How bad can it be? Back in 2012, LinkedIn was hacked What You Need To Know About the Massive LinkedIn Accounts Leak A hacker is selling 117 million hacked LinkedIn credentials on the Dark web for around $2,200 in Bitcoin. Kevin Shabazi, CEO and founder of LogMeOnce, helps us to understand just what is at risk. Read More . Email addresses and their corresponding hashes were leaked. That’s 177.5 million hashes, affecting 164.6 million users. You might figure that’s not too much of a concern: they’re just a load of random digits. Pretty indecipherable, right? Two professional crackers decided to take a sample of 6.4 million hashes and see what they could do.

They cracked 90% of them in just under a week.

As Good as It Gets: Salting and Slow Hashes

No system is impregnable Mythbusters: Dangerous Security Advice You Shouldn't Follow When it comes to internet security, everyone and their cousin has advice to offer you about the best software packages to install, dodgy sites to stay clear of, or best practices when it comes to... Read More — hackers will naturally work to crack any new security systems — but the stronger techniques implemented by the most secure sites Every Secure Website Does This With Your Password Have you ever wondered how websites keep your password safe from data breaches? Read More are smarter hashes.


Salted hashes are based on the practice of a cryptographic nonce, a random data set generated for each individual password, typically very long and very complex. These additional digits are added to the beginning or end of a password (or email-password combinations) before it passes through the hash function, in order to combat attempts made using rainbow tables.

It generally doesn’t matter if the salts are stored on the same servers as hashes; cracking a set of passwords can be hugely time consuming for hackers, made even tougher if your password itself is excessive and complicated 6 Tips For Creating An Unbreakable Password That You Can Remember If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch. Read More . That’s why you should always use a strong password, no matter how much you trust a site’s security.

Websites that take their, and by extension your, security particularly seriously are increasingly turning to slow hashes as an added measure. The best-known hash functions (MD5, SHA-1, and SHA-256) have been around a while, and are widely-used because they’re relatively easy to implement, and apply hashes very fast.

While still applying salts, slow hashes are even better at combating any attacks that rely on speed; by limiting hackers to substantially fewer attempts per second, it takes them longer to crack, thereby making attempts less worth it, considering also the lowered success rate. Cybercriminals have to weigh up whether it’s worth attacking time-consuming slow hash systems over comparatively “quick fixes”: medical institutions typically have less security 5 Reasons Why Medical Identity Theft is Increasing Scammers want your personal details and bank account information – but did you know that your medical records are also of interest to them? Find out what you can do about it. Read More , for instance, so data that could be obtained from there can still be sold on for surprising sums Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More .

It’s also very adaptive: if a system is under particular strain, it can slow down even further. Coda Hale, Microsoft’s former Principle Software Developer, compares MD5 to perhaps the most notable slow hash function, bcrypt (others include PBKDF-2, and scrypt):

“Instead of cracking a password every 40 seconds [as with MD5], I’d be cracking them every 12 years or so [when a system uses bcrypt]. Your passwords might not need that kind of security and you might need a faster comparison algorithm, but bcrypt allows you to choose your balance of speed and security.”

And because a slow hash can still be implemented in less than a second, users shouldn’t be affected.

Why Does It Matter?

When we use an online service, we enter into a contract of trust. You should be safe in the knowledge that your personal information is being kept secure.

Storing your password safely The Complete Guide to Simplifying and Securing Your Life with LastPass and Xmarks While the cloud means you can easily access your important information wherever you are, it also means that you have a lot of passwords to keep track of. That's why LastPass was created. Read More is especially important. Despite numerous warnings, many of us use the same one for different sites, so if there’s, for example, a Facebook breach Has Your Facebook Been Hacked? How to Tell (And Fix It) Here are steps you can take to prevent being hacked on Facebook, and things you can do in the event your Facebook was hacked. Read More , your login details for any other sites that you frequent using the same password might also be an open book for cybercriminals.

Have you discovered any Plain Text Offenders? Which sites do you trust implicitly? What do you think is the next step for secure password storage?

Image Credits: Africa Studio/Shutterstock, Incorrect Passwords by Lulu Hoeller [No Longer Available]; Login by Automobile Italia; Linux password files by Christiaan Colen; and salt shaker by Karyn Christner.

Related topics: Encryption, Online Privacy, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Vickie Allen
    August 24, 2016 at 9:14 am

    Thanks for the information...

  2. Osine
    August 24, 2016 at 8:09 am

    "An easy way of finding out if a site uses this is if, just after signing up, you receive an email from them listing your login details. Very dodgy."
    Nope. Some websites use scripts to automatically send your password. No seucirty flaw here.
    BUT if after clicking on "I've lost my password", you receive an email with your current then it is stored as plain text.

  3. Anonymous
    August 24, 2016 at 4:54 am

    Rainbow tables are unwieldy beasts. Iterating a hash a large number of times (say 1,234 times) then it would be costly to create rainbow tables for it. If the iteration count is secret, it would be nearly impossible for hackers to figure it out to even make a rainbow table.

    Of course, using a salt with a slow hash function is better. Better still is to iterate the number of slow hashes. And not all slow hashes are created equal. They should choose those that cannot be parallelized or has a memory trade-off.

  4. Anonymous
    August 24, 2016 at 12:55 am

    Speaking of storing passwords as plain text - remember those innocent days (say ten years ago) when you forgot your password, all you had to do was click the "forgot" link, enter the email address you registered with, and the site will helpfully email you your password - in plain test? And those were the days when email's were not encrypted - and no one seemed to mind. Oh, those days of internet innocence.