Where do Websites Store Passwords?

As the amount of confidential data required to use web applications and websites increases, the attempts to obtain this information through nefarious means also increases. With cyber-attacks becoming more prevalent in the modern web, the interest in cybersecurity is naturally growing amongst everyday ordinary users.

More often than ever before, users find themselves wondering what goes on under the hood of web security. One of the most common queries relates to the process of how websites deal with storing a user’s password. On the surface, the process of creating, saving and retrieving passwords creates ample opportunity for a malicious actor to intercept this information.

Taking this into account, where do websites actually store passwords? 

Typically, websites use hash functions in order to convert a user’s inputted password to a safe format for storing. Hash functions are computer functions used to take a user’s input and transform it into a format that’s unreadable by malicious actors.

Once this encryption has taken place, the user’s password can be stored safely. A network request will be sent to the server with this cryptic information and the server will then store the hashed value in the database.

Types of these databases include:

This is a simplified overview of the password storing process, let’s delve deeper and examine password storage in more detail.

How is a password encrypted?

The process of encrypting a password can vary depending on the website and the technology stack behind it. Generally, storing passwords in plaintext is an ill-advised storage method and massive security concern. This would allow anyone with access to the database to view the password for many users in plain sight.

To avoid this, websites store data using a range of encryption methods. As we’ve already highlighted, hashing is the most common method of password encryption on the web. Hashing a password converts the text into an indecipherable format that returns a unique result which can not be reverse-engineered to find the original format

For example, if a password created is ‘54321’ (not secure enough), the hashing algorithm will convert it to something with no particular pattern ‘v54gdgfdgdfg’. This hash value is now associated with the user’s account and will be stored in the database in this newly transformed format. Remember, this hashed password is unique and will not match any other users credentials that have been converted with the hash algorithm.

There are downsides to using hashing. While malicious actors can’t decode a hash back to the original password, they still can try various different passwords until it matches the hash value. This, of course, isn’t exactly easy as there is undoubtedly a lot of trial and error of many different combinations. So to eventually decode a hash value like this a rainbow table is used.

A rainbow table is a huge list of trillions of different hashes and their corresponding matching passwords. They exist to provide an enormous source of pre-computed hashes for every possible combination of characters. This is described on coding horror who states:

An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster– assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. It’s a classic time-memory tradeoff, exactly the sort of cheating shortcut you’d expect a black hat attacker to take.

So while it definitely has its benefits, it should be noted that hashing is a one-way street: if you have the hash value of a password you cannot reverse it to obtain the original password. Although hashing is still suitable for masking the contents of a password.

Salting

Additional security measures can be applied to a passwords hash value. A method called salting will add extra characters to the user’s password before the bashing algorithm is invoked.  These characters are added to the beginning or end of the password. A different salt is used for each password, even if the salts are on the same server, it is still difficult to look them up in a rainbow table.

A notable case of a high profile company not using salted hashes is Linkedln. In their infamous hack in 2016, where up to 117 million usernames and passwords were published by cybercriminals.

The general consensus around the incident indicated that if Linkedin had implemented salting their user’s information would have been significantly safer. Overall, a salted password, by itself does not negate a brute-force attack against a user’s password, however, it significantly helps against rainbow table attacks.

Overall, salting adds further complexity for any malicious actors attempting to decrypt a password. 

Slow Hashes

Amongst major security experts, it is thought that slower hashes are the optimum way for storing a user’s password. Standard hash functions like MD5, SHA-1 and SHA-256 serve their purpose for providing basic security. However, if trying to protect against modern-day hacks they can fall somewhat short due to the advantages provided by rainbow tables, which we mentioned earlier.

It is thought that slow hashes are the way forward. But how is this effective, surely a slower hashing process is detrimental to password security? Well, as malicious attackers attempt more and more potential password combinations, ideally we want this process to be slowed down. The hashing process is made inherently slower by ensuring that the hash function utilizes many internal iterations. These extra iterations could be thousands or even millions.

Essentially, this slow hashing acts like a race between the attacker and the defender. Adding additional iterations makes the hashing of the password more difficult for both parties. Thankfully, this doesn’t have much of impact on the individual user and their password but it will massively slow down attackers attempting to decode hashed passwords from a database

During brute force attacks, time is the most important factor. Slowing the hash process is the last line of defense here. Some of the most common algorithms used for a slower hashing process include:

How do I find stored passwords?

With the emphasis on having different passwords for each one of a user’s login credentials, it can be difficult to keep track of each one. Our browsers do a great job of keeping our password upon our consent. However, a scenario can arise where we need to find a specific password for a certain website.

This is made relatively easily by Chrome and other browsers. In Chrome a list of stored passwords can be accessed by typing chrome://settings/passwords into the URL.

 

This provides a great configuration tool of passwords saved from a multitude of websites. The tracking of your passwords in your browser can also be enabled/disabled here. But Chrome isn’t the only reliable password manager. There are plenty of additional services that provide security by generating and managing a password for every site.

Take for example a service like LastPass. It allows users to share passwords amongst themselves. This is great for larger organizations and teams that collaborate using shared tools/services. It’s not limited to just sharing though, services like LastPass will generate a password based on complex matching patterns.

Additionally, LastPass will populate password fields on your behalf. This takes the responsibility of the user to type out the password which avoids potential security concerns relating to trojans and other malicious software tracking keypresses.

While I’m sure there are many other useful password trackers. LastPass has been the only thing I’ve reached for. This is mainly because its Chrome extensions provide more utilities for managing passwords than I’d ever really need to use.

Conclusion

Security is becoming more topical every day as scenarios where a user’s data being compromised continues to occur. It’s now more important than ever for the everyday user to educate themselves on basic security practices. A lot of the worry can be alleviated by using modern password managers. Having a trusted brand deal with the generation, storage and input of your passwords is a surefire way to prevent leaked data.

Again, no password manager is foolproof but for most people, they are substantially safer using one. In general, people’s password habits leave a lot to be desired. So, unless you are a security professional trying to implement a security schemes for a company, using a password manager is most likely the right choice.

Gareth Dunne

Senior JavaScript Engineer and creator of JSdiaries. Passionate about the latest in web technologies and how it can provide value for my clients.