Password Storage: What You Need to Know
August 06, 2024
Introduction
Password security and storage is an essential facet of cybersecurity. Data breaches are becoming more and more common at large companies, and the methods companies use to store user login information can determine how damaging the breaches are. In modern times, passwords are used everywhere to secure information. But do you ever wonder how they work?
Plaintext
At the lowest level are plaintext passwords. This is when companies store user login details as unencrypted plaintext. So, if a user makes their username “user1” and their password “password1”, it will be stored exactly like that in their user database. This is the worst possible practice, as any data breach will give malicious actors instant and easy access to all affected user accounts. The only layers of protection from this are the outer layers of security, which are almost never infallible.
Encryption
Next, there are encrypted passwords. Encryption is a process that makes something normal, unreadable. An encryption algorithm will always give the same encrypted text from the same plaintext. There is no randomness involved. There are also many different encryption algorithms, all resulting in different encrypted text. Every individual using an algorithm has their own key to the algorithm, and this key gives them individualized encryption results. Think of the key like an answer key to a certain test. Each test is very different and might have a different answer key. However, encrypted text can be decrypted with what is essentially the encryption process, just reversed. So, if a malicious actor is able to figure out the encryption algorithm, and find the specific key used by the company to encrypt the information, they could still find the actual username and password in a data breach, even if it is encrypted. Regardless of its ability to be decrypted, encryption is better than plaintext storage, as any extra layers of security are always helpful.
Hashing
After encryption, there is hashing. Hashing is similar to encryption in a lot of ways. It takes normal plain text and turns it into something unreadable by using what is called a “hash function”. However, unlike encryption, something that has been hashed can’t be unhashed. Even if a malicious actor is able to figure out the hashing process, there is nothing they can do with the hashed passwords. The only way they can find a user’s password when it is hashed is by guessing the login details. As a side note, usernames are not always hashed when stored. This depends on the desired security level of the company. Sometimes usernames are needed for things other than login, such as password resetting, and must be accessed outside of login related activities. Once a data breach has occurred, malicious actors will often hash commonly used usernames and passwords and see if they match any details they gained from a breach. This works because, just like encryption, the same normal text will always hash to the same unreadable text. However, as long as users don’t use common passwords, hashing is far more secure than encryption.
Conclusion
This is only a general overview of how password storage works. There are more techniques each method can use to better secure sensitive data. Each method has drawbacks and benefits, and whether you’re running a business or just an average user, it helps to be aware of how sensitive information is stored.
Sources
https://usa.kaspersky.com/blog/how-to-store-passwords/28961/