It seem only more apparent this week that so many websites fail at storing user passwords, with the password dump of Linkedin, eharmony and lasfm password this week. The scary thing about it, is there are sites that don’t even use any encryption methods to store user passwords and this can be proven usually with a simple check.
In order to understand how passwords work it’s necessary to understand what a Hash function is and what it does. There are two key features to a Hash function, it is fixed length and it’s always one way, meaning it cannot be reversed. The reversed bit being a big key in this example.
The way passwords on websites work is that you sign up to a website and type in a username and password. The password is then put through a hashing algorithm to produce a fixed length hash.
Bad Example Code:
$password = test123
$Hash = sha1($password)
The above is a very basic example of how some sites may do it, then the hash is stored in the database. When you go to sign on the above process happens, you type in your password it hashes it again and then compares the hash to the stored entry if it’s valid you get access if it’s not then you will get a failed login attempt.
So the question here is how do you know a password is being stored in plain text without hacking the site? Well it’s simple, most sites have password reset buttons. If you forget your password you can use this method to get a way to reset your password. However some websites will send you your password in plain text, this means that they must be storing the password in plain text in the database or an unproved hashing method. As well as all know hashes are none reversible so they can’t be taking your hash and reversing it, then sending you your password as the whole point of a hash is it can’t be reversed. I have noticed that jobs sites are really bad for this but I am sure there are many more that are failing to do such a simple task as using a salt and a good hashing algorithm to store passwords.