How a website stores our secure passwords
What options does a website have to save the keys?
Whenever we register on an Internet platform, whatever it is, we will trust it. For example, if we create an account on Facebook or Twitter, we are adding a password that is linked to the user. The same happens if we register in a forum or any other service on the Internet.
In case that site or that platform has a security problem, our accounts could be in danger. For example, if there is a vulnerability and an attacker manages to exploit it to access the content. That's when those passwords could leak and end up in the wrong hands.
The web pages, therefore, are going to have to store those keys in some way so that they are not available to anyone. But of course, not all do it in the same way. We have seen many leaks that have caused passwords to end up on the Dark Web and even social media accounts, Netflix, or any other service and are now for sale.
This is the worst option of all, logically. However, there are still websites that store information and passwords in plain text. What does this mean? It basically means that if an intruder manages to access a database, everything in it is available without any type of encryption.
In this case, that website that stores the passwords will not use any algorithm to protect them. Let's say we register in a forum to search for information on something specific. We create an account and put a password that is very good and has everything necessary so that it is not found out. That website suffers a security breach and there is a group of hackers who manages to access the database where the keys are stored. They could have access to all of them without problems.
This is possible since those passwords have not been stored with any type of encryption, or algorithm to protect them. Basically, they are available as if we created a text file on our computer and wrote the passwords there. If someone has access to the computer and opens that file, they would see all the content without major problems.
Is there something to warn us that a site stores passwords in plain text? We can see it if we receive the password by e-mail. This is something that we can see when we register on any site and later receive an email with the data. There we would see the username and password as we have created them.
Now, the normal thing today is that when registering on web pages they use encryption to protect access codes. What they do is encode the information and make it totally unreadable. This will be possible since they generate two keys: one is the password that we use with the data that we have generated and another is the key of the site itself.
If we put the same previous example in which a website has a vulnerability and is attacked, in this case, the passwords would be encrypted and would not be readable for those intruders. Now, it is not something totally infallible.
But of course, for this encryption to be effective, a primary key is necessary. It is the same as if we create an encrypted file with content inside or use a key manager where we are going to save our passwords. In these cases, it is necessary to have a master or primary key to access the content.
It is precisely this password that hackers are targeting. If they access it, they can enter to see all the others. Therefore, our passwords are going to depend to a great extent on that primary key.
Hashing functions are also a method of keeping passwords secure on a web page. It is considered the most reliable and safe way to do this. What does it consist of? What it does is convert our passwords. When we create a key, it automatically turns it into a different and complex one thanks to that hash function.
When we log in, that website will execute the hash function to recognize the key. However, in the event that an attacker gains access to the database where the passwords are stored, it would be really difficult for him to revert that function. They would not know what the key is.
But of course, we are not facing something that is 100% reliable. That hash function will be the same as long as we put a password. Hackers can devise them to create hash tables and break values to access keys. It is something very complicated, but we would not be facing total security.
What to take into account to know if a website keeps the keys secure
After explaining the different methods they can use to store keys, which are basically plain text (worst of all), encryption, or hashing, how can we tell if we are signing up for a page that stores passwords well?
An important signal is the one we mentioned regarding how they send us the password by mail. If when we register they send us a password as we have written it, it means that they will store it in plain text and therefore there is no real security.
On the other hand, an interesting signal that shows us that the key is stored correctly is when we give the password to remember and that site does not return the key that we created previously. Instead, what you are going to do is send us a temporary password.
Also, it is important to see that the page on which we are registering is encrypted. We will know this if it has an SSL certificate and the URL begins with HTTPS and not HTTP. It is a guarantee that although it does not mean that it is safe in all cases, it does rule out untrustworthy sites.
How to avoid password problems on the Internet
What can we do to avoid problems with our passwords on the Internet? We are going to give some essential tips for this. A tour of the most important things to keep in mind to securely register on any platform or service.
Create strong keys
The first security tip is to create passwords that are really strong. How can we do it? Those keys must contain letters (both uppercase and lowercase), numbers, and other special symbols. All this randomly and they must have a good length.
This will make it difficult for hackers to break those passwords through brute force attacks. You must never to put things like your name, mobile number, etc.
Always use unique passwords
Of course, those passwords have to be unique. We should not use them in several places at the same time. If, for example, we have a password for Facebook and we use it in a forum where we have registered and this forum has suffered an attack, what is known as a domino effect would occur and they could access the social network account.
Therefore, it is essential that we do not repeat passwords. We must always create a unique one for each record, program, or website.
Use password manager
And how can we achieve all this? A good idea is to use a key manager. It will allow us to generate strong and complex passwords, in addition to storing them safely. We have many options, such as LastPass, KeePass, or Dashlane.
These programs are available for both computers and mobile. We can even synchronize passwords online and have them available anywhere.
In short, these are some important questions to consider about how web pages store our passwords. Now, beyond that, we must also create the keys with total security and avoid problems.