What did you do with my password?

Log in screen with username and password fields

As a user, you need to manage your passwords. (If you are struggling with that, read our blog post about password managers.)

As a developer, you have a much greater responsibility. You are the Guardian at the Gate: it's your job to keep your users' passwords safe from potential attackers.

So how are you storing those precious passwords? Let's take a quick look at some options.

No! Not plain text!

In the beginning, when the web was new, developers simply saved the password as text in a database. Sad to say, not everyone has moved on to better methods. Remember the Hetzner databreach in 2017? That was the result of storing passwords in plain text. Just last year I contacted a well-known franchise because they were still saving passwords in plain text.

If you are still using this approach, stop everything you planned for today. You have to fix this right now!


When developers understood the risk of plain text passwords, they looked for an alternative. Enter encryption.

Encryption uses an algorithm to scramble, or encrypt, the password before it is saved. Then it uses a key to unscramble, or decrypt the information. Encryption can be as simple as switching letters, or extremely sophisticated. It's a huge improvement on plain text.

But some encryption methods have known vulnerabilities. SHA-1 (Secure Hash Algorithm 1) was designed by the US National Security Agency and produces a 160-bit hash value. You'd expect it to be completely secure. You'd be wrong.


Enter the next alternative: hashing. Hashing is a one-way process, so there is no "de-hashing" option. It uses mathematical wizardry to make the string unreadable. But hashing is not random: it's repeatable. The SHA256 hash of a string will always be the same, otherwise we couldn't verify passwords.

Even hashing isn't foolproof. A rainbow table is like a reverse lookup table. As the MD5 hashing algorithm became well-established, people started creating rainbow tables of MD5 hashed values.

Despite the risk of rainbow tables, hashing is still the best way to store a password. Just make sure you don't use a hashing algorithm with known vulnerabilities. A good choice is BCrypt, which is designed to be slow. Slowing down the hashing function makes it too time-consuming to crack the hashes.


Does this sound scary? Want someone else to do it? You can delegate the responsibility to a trusted party using OAth.

You've seen the option to "Log in using my Google account". OAuth is an open standard that allows users to grant websites or applications access to their information on other websites, but without giving them the passwords. Google, FaceBook, Amazon, Microsoft and Twitter allow users to share information about their accounts with third party applications.

A last word

Passwords that are common and reused are vulnerable. Instead of guessing every possible combination, hackers use lists of common, compromised passwords. Educate your users and make sure they change passwords regularly.

Protect your users' passwords as if your job depends on it - because it just might.

If you want to read more about storing passwords, here are a few resources to try:

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email info@incusdata.com

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.