Hacking and Infosec Write-ups

How Passwords are stored? Explaining encryption, hash and cracking

We’ve so far discussed the login process, authorized and unauthorized access. If you’ve noticed one of the main points in all these writeups were the Passwords. So I decided to reach you out with another short writeup about the storage of passwords in certain ways. A password is an important factor to guard our digital privacy. It’s just like the key to unlocking our privacy box. Before going to the topic let me answer a question that must come to your mind.

Why we’ve many ways to store the password?

The reason is obvious, password security! We can store our passwords in plain text. But the issue is what if someone gets access to that password file? He can easily know all the passwords. Because they’re stored in a normal way. That’s where different ways of storing passwords were introduced. We’ll discuss them one by one. So here we go:

How Passwords are stored?

Plain Text:

There is nothing difficult in understanding the first method. When for the first time, password management and storage in database concept was introduced. The passwords were stored without any special guards just in a plain text. For example
I’ve to add some members in a database and each and everyone has a username and password to get access. I simply add a user table. Here I add a username and password. There is no special protocol or encryption used to store that password in my database.

The drawback of Plain Text:

But the problem with this method is if someone somehow gets access to my database. He won’t be troubled in finding out password and username of every user in my database. He can log in easily without getting any trouble. This security issue showed us a new way to store passwords.

Encrypting the Passwords:


This is a more secure way to store a password. There are many types of encryptions, but before we discuss some of the commonly used, let’s define encryption first.

What is Encryption:

In simple words, encryption is a method to convert plain text or data into an encoded version. We can read the data after decoding it. To decode encrypted data, we need a key to decrypt that data. Simply, encryption converts readable and understandable data to a code that can be read after applying the key. You can learn about encryption here.

The Drawback of Encryption:

The encryption is a reversible method. A hacker can easily crack your password if he knows the key. Obviously, when you store the password in a database, you also store the key to decrypt it back. This is called one-one mapping. That’s why this method also didn’t work well. And security experts had to invent new ways to store password.

Hash Functions (Cryptographic Hash):

So what to do when encryptions are reversible? What about a method that is irreversible? Here you go. One of the latest ways to store passwords is storing them in hash functions. A hash or cryptographic hash function is a many-one mapping system. Here you’ve many inputs to get a perfect match for a certain output. We can write a separate article discussing the hash only. And I’m damn sure the article would be a lengthy one. But right now let’s have an overview of this method:


How Cryptographic Hash function works?

When we convert a password into a hash, it is a one-way encoding. You can not reverse the process to get back the original password. Then how a hash identifies a password? This is where we use many-one mapping. We take many inputs and match them with our hash. The perfect match gives us the exact output. You can’t get a single output for two inputs. That’s why the hash matches a unique input only.

The Drawback:

Like we know that no security is perfect. There is also a method to obtain passwords from hashes. Yes, that’s true that you can’t reverse a hash to get original password. But a cracker can try multiple inputs until he gets the right output. Using this method, a lot of passwords were cracked. And now there are rainbow tables containing already cracked hashes to identify the password patterns.

Rainbow Tables:

These are pre-computed tables containing pre-matched hash values with plain passwords. You can use rainbow tables to use a brute force or dictionary type attack.

Salted Hash:

So what next? Even hashing failed then how to stay secure? Here comes the salt. Salt is a specific additional input added to your password while converting it to a hash. It is right now the best solution for storing password. Because it solves all the drawbacks in previous methods. Salt isn’t stored in your database, it is added to the configuration application which is totally a different thing. Salt can be understood as:
I have a password ‘Sprotechs’ and salt is ‘@5!5’. So the password in my hash will be [email protected]!5. Which isn’t the actual password. But an additional input. And this method has a solution for its own loophole too. The above example is a static salt. We can use a dynamic salt for every new password we store.

Shehriar Ahmad
Shehriar Ahmad Awan is the Co-founder of Sprotechs InfoSec. He's a Cybersecurity researcher, Penetration tester and Developer for Sprotechs team.