Are sites storing your passwords securely?


Makise from Steins;Gate sitting, perhaps contemplating password hashes.

There have been so many password "hacking" stories lately, I thought I'd write this post so I can refer back to it. For added security, I've included the above image of Makise Kurisu, the scientist in my anime harem.

Covering my behind

Crypto is an exact science, so before I go any further I will make these clear.

  • When I say random, technically I mean pseudorandom. Algorithms are deterministic, and computer order and logic can’t strictly speaking produce "true" randomness. Contemporary algorithms are an order of magnitude better than the BASIC RND() function of yore though.

  • When I say impossible and one way, I mean practically speaking. Our current algorithms would take the birth and death of several universes to brute force with current hardware, but that doesn’t mean it’s impossible. Just very very very very improbable!

How passwords are supposed to be stored

When you create an account with a well designed, secure website, your chosen password is not stored anywhere. Instead, your password is put through a one way cryptographic hashing algorithm which converts it to random gibberish, along with some salt or random information only the web server knows.

When you attempt to log into your site, the password you give is hashed and compared to the hash on file. If they're the same the server knows you have the right password.

It's a proven, tested technique and it works… provided everything is implemented properly. No doubt you've seen plenty of news stories suggesting sound security is harder than coming up with some snappy alliteration on a blog post.

Diagram showing a password and salt being fed into a hasing algorithm, which becomes a hashed password, which is passed to a database.

Why go to the trouble?

Rather than storing a hash of a password, you could simply store the password and compare it when someone logs in. It's simpler, and a worryingly large number sites still do this.

The problem is, if the database is broken into, the malicious hacker has access to all your customer's passwords. People like conserving energy (politically correct way of saying lazy!), and are probably using those same passwords for all sorts of stuff including their banking sites, email, social networks and so on. You can see what a disaster this could be!

If you store them as hashes, all anyone ever sees is random gibberish… even the site owner!

How to tell

Short of asking the site administrator, there are two main tells that a site is storing your passwords instead of a hash:

  • They’re able to provide you with your password. This could happen when you first create your account and they send you a welcome email, or if you’ve said you’ve forgotten your password. A secure site should always direct you to a page to reset it, because they don’t know your password either.

  • Hashes take any password length and adjust them to a uniform size (such as 128 bits). Not always, but often if a site puts a limit on your password length, it’s because they’re storing it as plaintext in their database.

There may have been (bad) excuses for these practices in the past, but not any more. If a site you access does either of these, it's time to question how important they are and whether they're worth risking your data and security over. Blunt, but true.

If you suspect a site you access is storing your password in plain text and you have no choice but to use them, complain, and make sure you pick something random and unique to that one site. If/when they get broken into, you'll be glad you did.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.