How are passwords stored on websites?
Ever wondered how they save your password on sites where you have to sign in? There seems to be a lot of mystery surrounding how this is done and I get asked questions about it regularly.
Don't worry - reputable websites will never store your password in plain or clear text (that is, if your password is "password" then that will never be stored on their system). Instead they store what is known as a "one way hash" of your password. A one way hash is a mathematical trick that allows a password to be converted into a string of text. Now, you might be wondering, how come it's bad to store a plain text password yet good to store the hash? Well, the great thing about one way hashes is that they are one way - you can created one from a password but you can't "undo" the hash to recover the password. In fact, a 128-bit hash can have a staggering 340,282,366,920,938,463,463,374,607,431,768,211,456 values! Put another way, the chances of two different passwords giving the same hash is 0.000,000,000,000,000,000,000,000,000,000,000,000,029%.
Note: This is why most places can only offer to reset your password and not recover it for you.
So, let's look at the password process, but this time making it transparent!
First, you need to enter a password. When you send this password to the server where the website is stored a small program converts it to a hash. The most common hash type is called MD5 (MD stands for "Message Digest"). In this example it won't do this automatically, you have to click on the button!).
OK, now the server has the hash of your password, what happens the next time you try to access the site? I've already said that the server can't "undo" the hash to recover your password because the hash is one way. What it does instead is take the password you enter and covert this to a hash and then test this hash against the stored one.
Experiment below - this page remembers the hash of the password you entered earlier. Below enter a password and convert it then click the "Test Password" button. The hashes will be checked to see if they match.
So what stops hashes being the same? Or similar? Well, firstly, "similar" hashes are meaningless - they are either the same or not. Two letters next to one another in the alphabet produce dramatically different hashes:
Uppercase and lowercase letter produce different hashes too:
Also, the chances of two passwords creating identical hashes is virtually nonexistent
(under normal conditions and using modern algorithms like MD5 you can stop
worrying about it).
Update: See Hash Collision for information relating to statistical analysis reasearch paper that has uncovered weaknesses in hash algorithms.