Every day we read that a website or web service has been ‘hacked’ and that user data has been stolen. The question is – how do websites keep your password stored and is it secure?
If you have recently opened IT portals, you could certainly read the news that a certain page was hacked, its user data stolen, and similar. We are not talking about some obscure and low-traffic websites. It can be Google, Facebook, LinkedIn, or Reddit. For example, LinkedIn was recently hacked where the data of 700 million users was stolen.
One of the worst things hackers can do to you is to get your password and username. That way they can ‘sweep‘ your bank account which you used to connect to your credit card for purchasing online, paying bills, gambling at most famous casinos by the link, etc. Such a thing might happen to you especially if you do not follow the safety recommendations and use the same combination of the mentioned personal info on several websites. But the security of your password is not only on you but also on the pages where you created the account.
So the question arises – how do websites store your password in their database? How do they make it safe? Who has access to passwords?
Worst Case Scenario: Plain Text
Consider this situation: a large and popular website has been hacked. The hackers broke through all the protection layers it has and may have even taken advantage of the flaws in the architecture employed. You are a user of that site. The website in question sends an email that it has had security issues but that your information is secure, except that the passwords are stored as “plain” text. Such databases, in which passwords are unencrypted, only cause problems.
There is no encryption algorithm that has made them a little more secure. Hackers can simply just read your password and that’s it. And here it doesn’t matter how complex your password is. You can have an 18-character password, use uppercase and lowercase letters, special characters… if it is entered in the database as such and the one who has access to the database has your password. They don’t even have to be hackers. An employee of a company, who has access to the production base because, say, he is working on website development, can see your password, too.
You may think this is a problem that rarely happens, but it is not. According to some estimates, about 30 % of eCommerce websites do not have protected data. How will you know this most easily? When they send you an email after registration in which you see your username and password. Then log in to the website again, change your password if you use it elsewhere, and email them that their security is disastrous. In fact, we recommend that you do not buy from such sites and do not give them your information. Of course, this is not an indicator that passwords are saved in plain text for sure, but it is a very big chance they are. After all, they should not email you such information because someone may read your email as well.
For the end of this section, keep in mind that no system is error-free and 100 % secure, but some do not even follow basic security protocols when creating a website and protecting user data.
Not as Good as It Seems: Encrypted Passwords
What do many websites do to add some security to your passwords? They turn to encryption. In essence, the encryption mechanism turns your password into an unreadable string of signs that cannot be decrypted without a private key. More precisely, two keys – one is with the company, and the other with you (it is in the form of login data). Therefore, even if someone gets an encrypted password, they will not be able to do much with it.
You should use encryption wherever you can. FaceID on iPhone is a kind of encryption. The passcode is encryption. The Internet rests on encryption. But no matter what you hear, the encryption is not perfect. It is as secure as the keys stored on the servers of the company that owns the website. We will not go into too much detail, but if hackers find both keys on the server, they can get hold of your password. It is practically the same as if the password is written in plain text. That is why you have websites like PlainTextOffenders that keep a list of services that use encryptions that can be decrypted.
Surprisingly Simple (but Not Always Effective): “Hashing”
“Hashing” password may sound strange, but it is a more secure form of encryption. Instead of a web page keeping your password in plain text, it gets it through a hash function (such as MD5, SHA-256, and others) and saves it to its database. It becomes unreadable, that is, nothing can be done with it.
Let’s say your password is “CaliforniaBeat123!”. When you run it through the SHA-1 hash function, you get something like “1d43f94e73cc84882b8f24c97541ce3109e3a312”. And the great thing is that it only works in one direction. You cannot decode this string and get the original string from it. Unfortunately, again, this is not the safest either. It is better than plain text, but this is something that hackers – in part – have broken through.
This means that a single string of characters will always give the same output if you use a particular hash function. “CaliforniaBeat123!” will always give “1d43f94e73cc84882b8f24c97541ce3109e3a312” if you use the SHA-1 algorithm. That is why hackers have developed the so-called “rainbow tables”. Think of it as a cheat sheet. They have lists of hashes and passwords and can compare those tables to your hash. If they cannot find the password on their cheat sheet, they can try using the brute-force technique to find your password, especially if they know which hash algorithm is being used. Of course, for longer and harder passwords, it will take them longer, so it is much better to use the password, e.g. “[email protected];9k2” than “password123” or “qwer1234”. But again, it is not 100 % safe.
Perhaps the Best Option Today: Adding “Salt” to “Hashing”
Nothing is impossible to breakthrough. Hackers will always find ways to penetrate new security systems. But if a website implements all security standards and uses ‘smart’ hashes, it will make hackers’ lives miserable, often to the extent that they will give up trying to steal data.
“Salted hashes” is one of those security recommendations or protocols that is good to use if you really want to protect your users as a website. To simplify – when creating a password, the website generates a long and complex string of characters for each individual user. So, for each user, a unique string of characters is set. This string is then added to the beginning or end of your password, and it is then passed through the hash function. So the just mentioned “rainbow tables” will not be of much help to hackers. In general, it doesn’t matter whether the “salt” (mentioned string of characters generated for each user) is stored on the server along with the passwords or not. It will take hackers too long to break through such protection. Plus, if you have a complex password, it is virtually impossible for hackers to guess your combination.
Websites that take care of password security, and then your security, will use proven and secure hash algorithms such as (MD-5, SHA-1, SHA-256)… they are relatively easy to implement by the developer and will make life difficult for hackers. In addition, it is very useful for websites to add a login restriction. This means that when you make a mistake in typing your password, you cannot log in again for the next 5 seconds. If you enter the wrong password again, that time is 10 seconds, and then 20 seconds, 40, etc. This prevents hackers from brute-force attacks and the ability to try a million passwords in an hour.
At the end of the day, cybercriminals will always weigh how much time they have to spend hacking such websites and what their “profit” is for it. They usually give up when they see that you and a website have all the security mechanisms in place.