DEV Community

loading...

How are passwords stored?

Mohamed Oun
Full-Stack Googling expert.
・2 min read

Have you ever wondered how your passwords are stored in the websites you use?

Have you ever wondered why some websites tell you to set a new password, instead of sending you your forgotten password whenever you click ‘Forgot your password?’.

It’s because most websites nowadays don’t save your passwords in plain text, instead save its hash, and whenever you log in with a password, they hash it and compare the resulting hash with the one in the database. That means any attacker that gets to their database will only see the hash of your password, not the real one.

Tip: if you forget your password and the website sends it back to you in plaintext, then that's how they store it. You should make sure you're not using that password anywhere else and just never use that site again.

But what is a hash?

A hash is the output of a one-way function that takes an input and maps it to a fixed-length string that works as a unique signature for the given input and is ideally never produced with any other input (Wikipedia). The important properties of a hash function are that it’s

  1. deterministic (same input gives the same hash every time)
  2. practically impossible to generate the same hash from two different inputs
  3. It is impossible to get the input from the hash unless you try every possible input.
  4. Any change to the input, however small, would make the resulting hash unrecognizable from the original input’s hash. Examples of a hash function include MD5 (broken), SHA-1 (not recommended) and SHA-3 (recommended standard). Unfortunately, many people can use the same passwords, and because hash functions are deterministic, it means that the hashes of those passwords would be the same. That means if a passwords database were compromised, and you know the password of one user, you could also gain access to whoever has the same password (because the hashes are the same).

Enter salts

Salts are random data that are unique to each user, which are added to the user’s password before hashing it. Because of the 4th property of a good hash, the new hash is unrecognizable from the old one, thus even if user X and Y use the same password because X and Y have different, unique salts, the hash of each user’s password would look completely different. A salt can be publicly stored in plaintext, as it’s just random data that doesn’t provide any insight on the user’s password.

Salting

But how do I store passwords on my website?

This is the extensive Stack Overflow answer.

Discussion (9)

Collapse
tbodt profile image
tbodt

Maybe at least mention bcrypt and scrypt, and that the speed of the hash is a factor...

Collapse
mohamed3on profile image
Mohamed Oun Author

They're mentioned in the stack exchange answer.

Collapse
tbodt profile image
tbodt

I sort of doubt anybody is going to click on a link that's way at the bottom of the post

Thread Thread
mohamed3on profile image
Mohamed Oun Author

So you think it's better to duplicate the information?

Thread Thread
tbodt profile image
tbodt

Either that, or replace the entire article with just that one link. I'd go with the first one.

Thread Thread
mohamed3on profile image
Mohamed Oun Author

Really? the article is called 'brief introduction', so it's either have every relevant piece of information or none at all?

Thread Thread
tbodt profile image
tbodt

Good point.

I would add a sentence or two about hash speed, though

Thread Thread
mohamed3on profile image
Mohamed Oun Author

Fair enough. Have a nice day!

Collapse
yaphi1 profile image
Yaphi Berhanu

That was an awesome explanation.