How many times have you had to change your account password at work? Does your university or school make you change your password every semester like mine does? When was the last time you updated passwords for your social media accounts? The more online services you wish to use, the more is the hassle of remembering and tracking a million passwords you generate along the way. Do you resort to reusing them? Adding a “1” at the end perhaps?
Sadly that’s a terrible strategy.
Having worked as a system administrator, I know why IT policies regularly impose stricter (borderline illogical) restrictions in place. But trust me, there is an excellent reason for that: most user-generated passwords are weak and easily cracked. Stricter restrictions at least force the user to create stronger passwords.
So How Are Passwords Stored?
Saying that websites store passwords is a bit misleading itself since well-designed websites don’t typically store your passwords in a database. They store the hashed response generated from your password.
WTF Does That Even Mean?
In computer science, a hashing algorithm is a one-way function that can be applied to a character string of any size . For example, one of the earliest devised hashing algorithms, MD5, takes a user input (like a password) and generates a corresponding 128-bit hash value. One-way implies that the response cannot be reverse engineered to yield the underlying character string that generated it. This is crucial since the whole point of utilizing a hashing function is to impede an attacker from reverse engineering it.
SEE MORE: 5 Things Lamer Than Dhinchak Pooja
For example: (Using MD5) 
ThisIsMyPassword produces d47f18dc7780fe47c24759714e2cd58f
The website then stores the hashed output in their database. When a user enters a password, the same hashing algorithm is used on the input and the resulting output is matched with what is stored in the database. Access is granted only if the two results match.
To strengthen the security, another layer of protection is frequently added on top of the basic hashing algorithm via a process called “salting”. Salting is performed to make it difficult for a hacker to execute a dictionary type attack.
Salting typically entails the concatenation of random data with the user’s password. Good encryption practices demand that the salt generation process be cryptographically random which differs from the ordinary pseudo-random generators used in the different programming languages.
It is worth noting that using MD5 is strongly discouraged because MD5 is not resistant to collisions – a characteristic intrinsic to the very core functionality of any secure hashing algorithm . When it comes to hashing, it is desired that the algorithm be computationally expensive – something that MD5 and SHA-1 thoroughly lack. It is thus advisable to use SHA-256 instead for secure hashing which is why SHA-256 is the industry standard, mostly.
Hashing is performed so that if the credential database ever gets compromised, the intruder would not be able to retrieve all the user details. If the website was storing plaintext passwords, it would be trivial for the attacker to abuse the credentials.
How To Create Stronger Passwords?
A good method for creating strong and unique passwords is to pick seemingly random words, objects, places – whatever you can easily remember, and string them together. This gif beautifully demonstrates the logic behind doing so.
What Does It Mean For You?
I would suggest 3 things:
- Use a dedicated password manager for managing your passwords and login information. I personally use KeePass and highly recommend it. KeePass is an open-source password manager which provides industry-level password management security.
- Refrain from reusing your passwords for multiple services and accounts. Instead, use 2-factor authentication.
- Use long passwords not complex ones. As always, there is a relevant xkcd.
 Friedl, Stephen J. “Steve Friedl’s Unixwiz.net Tech Tips.” An Illustrated Guide to Cryptographic Hashes. Blog.unixwiz.net, n.d. Web.
 Walker, Sunny. “MD5 Hash Generator.” MiracleSalad, n.d. Web
 Dobbertin, H. “The status of MD5 after a recent attack. CryptoBytes The technical newsletter of RSA Laboratories, a division of RSA Data Security.” (1996).