Kingsley-Hughes.Com | How are passwords stored on websites?

Security

How are passwords stored on websites?

Ever wondered how they save your password on sites where you have to sign in? There seems to be a lot of mystery surrounding how this is done and I get asked questions about it regularly.

Don't worry - reputable websites will never store your password in plain or clear text (that is, if your password is "password" then that will never be stored on their system). Instead they store what is known as a "one way hash" of your password. A one way hash is a mathematical trick that allows a password to be converted into a string of text. Now, you might be wondering, how come it's bad to store a plain text password yet good to store the hash? Well, the great thing about one way hashes is that they are one way - you can created one from a password but you can't "undo" the hash to recover the password. In fact, a 128-bit hash can have a staggering 340,282,366,920,938,463,463,374,607,431,768,211,456 values! Put another way, the chances of two different passwords giving the same hash is 0.000,000,000,000,000,000,000,000,000,000,000,000,029%.

Note: This is why most places can only offer to reset your password and not recover it for you.

So, let's look at the password process, but this time making it transparent!

First, you need to enter a password. When you send this password to the server where the website is stored a small program converts it to a hash. The most common hash type is called MD5 (MD stands for "Message Digest"). In this example it won't do this automatically, you have to click on the button!).

Password Entered
Convert
Password Stored

OK, now the server has the hash of your password, what happens the next time you try to access the site? I've already said that the server can't "undo" the hash to recover your password because the hash is one way. What it does instead is take the password you enter and covert this to a hash and then test this hash against the stored one.

Experiment below - this page remembers the hash of the password you entered earlier. Below enter a password and convert it then click the "Test Password" button. The hashes will be checked to see if they match.

Enter Password
Convert
Temporary hash

So what stops hashes being the same? Or similar? Well, firstly, "similar" hashes are meaningless - they are either the same or not. Two letters next to one another in the alphabet produce dramatically different hashes:

Letter	Hash
A	7fc56270e7a70fa81a5935b72eacbe29
B	9d5ed678fe57bcca610140957afab571

Uppercase and lowercase letter produce different hashes too:

Letter	Hash
a	0cc175b9c0f1b6a831c399e269772661
b	92eb5ffee6ae2fec3ad71c777531578f

Also, the chances of two passwords creating identical hashes is virtually nonexistent (under normal conditions and using modern algorithms like MD5 you can stop worrying about it).

Update: See Hash Collision for information relating to statistical analysis reasearch paper that has uncovered weaknesses in hash algorithms.

This example using JavaScript code developed by Paul Johnston - http://pajhome.org.uk/crypt/md5 - Our thanks to him for making this available.

Adrian Kingsley-Hughes
Last updated: Feb 20th 2005
Print This Page | Email me when this page changes | Search This Site