How do companies store your passwords?

Any website that you need a password to access needs some way of checking that you’ve entered
the right username and password combination. But, if the company were to keep a file entitled
“customer_passwords.xl” on its system, it would make itself an easy target for hackers. Instead,
websites use (or should use) a process called salting and hashing to protect your password from
thieves.

Hashing

Hashing is a process that works a bit like encryption. It takes a string (such as a password) and
transforms it into a string that appears random.

However, a hash function is a so-called one-way function. This means that it is a function (process)
that is very easy to do in one direction, but computationally impossible to reverse. This is different to
encryption, which can be reversed (using the decryption process).

A simple example of a one-way function is the multiplication of prime numbers. If I give you two
prime numbers, for example, 17 and 23, and ask for their product, it’s a relatively simple calculation:

17 × 23 = 391
But if I give you the number 377 and ask you which two prime numbers I multiplied together to
produce it, the problem is much harder. Even if you use a calculator, you have to keep multiplying
different pairs of numbers until you work out the answer.

If the prime numbers I used were really massive numbers (in the tens of thousands of digits), then it
would even take a computer longer than a lifetime to solve the problem.

Hashing helps websites store passwords in a safer way because they can store the hash of your
password, instead of the password itself. That way, when you sign in, the website can hash the
password that you supply and compare it with the hash that they have stored, and grant you access
only if they match. But, in theory, if a hacker steals the hashed passwords, they can’t reverse the
process to find out your password.

Salting

Even though hackers can’t reverse a hash process, they can apply a brute force attack to a list of
usernames and hash function outputs and guess which passwords have been hashed. They can take
a dictionary of popular passwords and put each one through the hash function, and then, if any
produce an output from the list of stolen hashed passwords, they can match the password to its
username. This allows them to guess customer passwords.

To defend against this type of attack, websites salt passwords before hashing them. This involves
adding a random string to each password before hashing it. Passing the string “My_password”
through a hash function produces a different output to passing the string “My_passwordsalt”.

Typically, websites will sort their passwords into batches and assign the same salt to every password
in a particular batch. Even if a hacker steals a batch of passwords, as long as they don’t know the salt
used, they can’t use the same dictionary attack to match passwords to hashes. This is because none
of the passwords in their dictionary should produce an output from the stolen batch of hashed
passwords.