how do these people store my passwords
Ok. It says here that i should not store my passwords In plain text, and i should encode it.
But now it says here that a hash cannot be decoded. Then here comes the problem: I sign up to a site, then a popup comes on my chrome saying if i want to save it in my google account sync. The next time i try to sign in to that website it fills out the form with my correct password.
If they're not supposed be able to decode my password, are they storing it in plain text, or are they encoding it in a way it can be decoded but only with a secret key? And what method is the best way to encode passwords?
If I remember correctly, it's always best to store the hashes of the passwords in an encrypted database. If you are using something that fills in passwords for you, then you're basically just hoping that they use a secure enough encryption algorithm that your unhashed passwords don't get released. Honestly, I'm pretty sure that tools like that break one of the core tenets of encryption tho, so why not just stop using the tool and then never worry about it?
@ch1ck3n Chrome probably encrypts your passwords with your google account password, hence why they ask you to enter your password before viewing them on the chrome settings page.
I bet it is stored by google and backed up by many different algorithms to secure your password as best as possible, as well as them not revealing the encryption methods so they can't reverse-encrypt them even if they get the ciphertext.
The website didn't fill it out. Chrome did. See, you enter you password on the client side; Chrome got your password before you summited it and stored it in your browser. The password then went to the website and it was hashed. Chrome did not decode your hash. Chrome simply remembered the plain text version of your password.
In answer to your above comment:
I'm sure I could very easily be incorrect, but this isn't why. That's his entire point; he is worried about the security of Chrome if it's storing his passwords which are normally hashed as plain-text, its not about it not being hashed on the account's server. it's that it's not hashed on some separate database along with a whole slew of his other passwords. look at his conversation with @Coder100. @nbbcsf
hashes shouldn't be decoded at all
because then its insecure
what people use hashes for is this:
password --> hashing function --> password_hash user input --> hashing function --> user_hash
then all you do is compare if the hashes are the same, because every password always gives the same hash.