A few years ago it was reported that Russian hackers had stolen 1.2 billion usernames and passwords from a variety of websites. This was only possible because those websites were storing the actual password. Because it’s World Password Day and because this is web security 101, let’s discuss why there’s really no excuse for a website to store your password – ever.
A website that has a login only needs to store a hash of your password after you create your account (or change your password). There is never a need to store the password itself. Hashing is one-way encryption. If a website uses a good hashing algorithm, it’s completely impractical to decrypt the hash back to the original password. When you go to login to a website, the site will take the password you just entered, hash it and compare that hash to the hash created when you created your login (or last changed your password). If they match, it knows the passwords that were used to create both hashes are the same but it still doesn’t ever need to know the password itself.
We’ve blogged before about how to securely handle passwords in app development. There are simple techniques that make it easy to disassociate the password hash from the user. That way if a hacker got your database, got all the hashes and was willing to put the enormous computing resources into decrypting a specific hash for a specific user, it still would not matter because they wouldn’t know which hash belonged to which user.
Anyone responsible for the security of a website should know all this. This is web security 101. While the identities of these websites were not made public, you can bet they were sites with a lot of users. It’s hard to believe that sites with large numbers of users wouldn’t be doing these security basics.