Passwords, as essential as they are to our online security, should never appear in plain-text. It is the worst way to store a password, and compromises the essential security function of a password. Unfortunately, there are some unscrupulous web services out there that do exactly that.
Too many times I have clicked the “Forgot your password?” button on a site, and received an email like this:
Thank you for registering with My Terribly Unsecure Web Service. Your account details are below. =============================== User Name: geoff Password: Wm,d9n'k(that’s not my actual password. Sorry hackers.)
Do you see the glaring problem? Your password appears in plain text! Now you may think: “well only I can see this email, so it’s fine.” It’s not. In most cases, emails like this indicate that web server has stored your password in plain text in their database. If someone is able to hack into the database, they can readily read your password and compromise your account, as well as the website itself.
The other scenario in which you would see a plain-text password is with encrypted passwords. What happens in encryption is that a special key is used to turn your password into another string of text. If your password was 124
, for example, its encrypted form might be 974hw8z01po2
. While this may seem more secure, it has the same vulnerabilities as bare-bones password storage. Since encryption keys and passwords are often stored on the same server, an intruder would simply have to find the key to unlock the vault to the passwords. Once again, system compromised.
If you ever get an email with your password in plain-text, change your password and consider deleting your account on the service. Delete the email permanently as well, for assurance. Since a significant portion of Internet users use similar passwords across the Web, it would be a catastrophe if a hacker, knowing one of your passwords, compromises all of your online accounts.
How can I assure my passwords are secure?
Enter the domain of hashes. Like encryption, your password is turned into a string of text via a function. The difference here is that hashes are one-way roads. While you can hash any password, you cannot un-hash a password. The way that authentication works with hashing, then, is that the web server will compare your inputted password with what is stored in the database. If they match, the door opens.
While hashes are far more secure than plain old encryption, there’s still a caveat. A hacker can still brute-force test for passwords by using rainbow tables, which are huge files containing known hashes. For example, the hash for password1
is e38ad214943daad1d64c102faec29de4afe9da3d
. This and billions of other associations have the power to crack even a so-called “strong” password in a matter of minutes.
This is where salts and slow hashes come in. For salts, the server generates a random string, unique for each password, and attaches it to your password hash. While the details of salt hashing can get rather esoteric, adding a salt to a hash significantly increases the time required to brute-force a password. The hacker must not only account for the hash, but also the length of the salt, the algorithm to generate the salt, and how the salt is attached to the password. As for slow hashes, the name says it all. Instead of taking milliseconds to compute a hash, like the popular SHA-1 and MD5 hashes, slow hashes take much longer. As a result, computing rainbow tables with such slow hashes will be very time-consuming.
With services that use hashing, you will never see your password in plain text. In fact, the server doesn’t even know your password; all it knows is what it looks like after it’s gone through the blender of hashing. This is why for most services, you must click a “Reset my Password” button if you ever forget.
The rule of thumb: if a web service ever gives you your password in plain text, get out as soon as possible!