A typical website which supports user login generally stores (or should store) user passwords as hash value. But sometimes this is not the case. There are websites that store your password as plain text. In this article, we are going to discuss some of the possible ways to find out how a particular website stores your password.
What is hashing and why is it important?
To verify your identity, a website maps you to a unique username, which is publicly displayed so that other users can identify you. But the website also needs to authenticate you before you log in. For this, it lets you choose a secret password. It has to keep a copy of your password in its database. But here comes the big question: Is the password really secret?
If passwords are plainly stored into the database, it can easily be accessed by the webmaster / database administrator. The webmaster may then misuse your account information and try to gain access to your subsequent accounts on other sites/services. That’s not all; even if the webmaster does not have any intention of misusing user information, the website is at high security risk. In case the site is hacked or breached, user passwords may be leaked out.
Rather than storing passwords as plaintext in the database, some websites store passwords in hashed format. Hashing generates a fixed-bit-length value for all passwords. This process is irreversible, i.e., it is not possible to retrieve the original password from its hash. Whenever you try to login to such websites with a password, the corresponding hash value is instantly generated. This value is then matched with the one stored in the database. A website that stores passwords in hashed format is thus more secure.
Finding out whether a website is hashing user passwords or not
There are a few ways to check whether a website is (probably) hashing your password or not. After you have logged into a particular website, check your account settings to see whether your password is displayed or not. If your password is shown, the website does not hash your password. Otherwise, the website may be hashing your password.
Alternatively, you can use the password recovery option. If you request a password reset, the website will usually send a mail to your registered email address. If the mail contains a password reset link (which lets you set a new password) or an auto-generated password, you can say that the password was hashed. The website could have sent you the actual password if it hadn’t been hashed.
It is important to note that even if some sites do not show your password, they might not necessarily be hashing it. They might just not be displaying the password but storing them as plain text.
Finding out whether a website hashes your password or not is not a user-friendly process and also annoying sometimes. Thus, it is recommended to keep different (and uncommon) passwords for each website.
But again, it might be difficult for users to memorize the different login credentials. For that, PwdHash might be helpful. It generates a unique password in combination with your password and the website. Read this article to know more about how it works.