Hashing & Authentication: How are your passwords stored on websites?

Hashing & Authentication: How are your passwords stored on websites?

It is important when we learn about encryption and using it alongside strong passwords, to also take a look at how these passwords are stored on the website’s server. The issue is that once you send something to a server, it is out of your hands unless you operate the server yourself. So it is important for server owners to be storing as little information as possible on the server unless it is in an unreadable, encrypted format.

SQL injections and database compromises can expose anything in plain text and they are surprisingly very common occurences. Hashing is similar to encryption but comes into play when securely storing password. When you register for many websites, they take your password and they store it on the server so that every time you login, it just compares the two passwords and if they are the same, it logs you in. However, this is incredibly insecure even with SSL implemented.

The good websites/servers (which should be the majority of them now) hash your passwords before sending them to the server, which basically means storing them in a jumbled fashion. It is done commonly through what we call “hashing algorithms” like SHA256 or SHA512. As a side note, those are two common hashing algorithms that are often accompanied by PBKDF2 (which is used for key stretching to thwart brute force attempts). Then when you login the next time to the site, your browser converts the password into that same string of random characters and matches it with the string of random characters it has stored on the server. If the two match, you are authenticated and allowed into your account.

Going into a little more detail on key stretching and PBKDF2, there is a related term known as Password Iterations or Iteration Count that defines the computational power that needs to be exerted between password attempts. The higher the number of rounds used, the more secure your account/encryption/password is going to be. Companies can also add a salt to the hash, which adds a random string of characters to the end that actively thwarts dictionary attacks ( For some reference, the default iteration count for 4 common services/applications are listed:

  • LastPass – 5,000 (Client side) + 100,000 more (Server Side)
  • TrueCrypt – 1000
  • VeraCrypt – 500,000
  • FileVault2 – 41,000

See: Secure Password Managers on