There have been so many password "hacking" stories lately, I thought I'd write this post so I can refer back to it. For added security, I've included the above image of Makise Kurisu, the scientist in my anime harem.

Covering my behind

Crypto is an exact science, so before I go any further I will make these clear.

How passwords are supposed to be stored

When you create an account with a well designed, secure website, your chosen password is not stored anywhere. Instead, your password is put through a one way cryptographic hashing algorithm which converts it to random gibberish, along with some salt or random information only the web server knows.

When you attempt to log into your site, the password you give is hashed and compared to the hash on file. If they're the same the server knows you have the right password.

It's a proven, tested technique and it works… provided everything is implemented properly. No doubt you've seen plenty of news stories suggesting sound security is harder than coming up with some snappy alliteration on a blog post.

Why go to the trouble?

Rather than storing a hash of a password, you could simply store the password and compare it when someone logs in. It's simpler, and a worryingly large number sites still do this.

The problem is, if the database is broken into, the malicious hacker has access to all your customer's passwords. People like conserving energy (politically correct way of saying lazy!), and are probably using those same passwords for all sorts of stuff including their banking sites, email, social networks and so on. You can see what a disaster this could be!

If you store them as hashes, all anyone ever sees is random gibberish… even the site owner!

How to tell

Short of asking the site administrator, there are two main tells that a site is storing your passwords instead of a hash:

There may have been (bad) excuses for these practices in the past, but not any more. If a site you access does either of these, it's time to question how important they are and whether they're worth risking your data and security over. Blunt, but true.

If you suspect a site you access is storing your password in plain text and you have no choice but to use them, complain, and make sure you pick something random and unique to that one site. If/when they get broken into, you'll be glad you did.