Ask coding questions

← Back to all posts
how do these people store my passwords
h
ch1ck3n (2063)

Ok. It says here that i should not store my passwords In plain text, and i should encode it.

But now it says here that a hash cannot be decoded. Then here comes the problem: I sign up to a site, then a popup comes on my chrome saying if i want to save it in my google account sync. The next time i try to sign in to that website it fills out the form with my correct password.

If they're not supposed be able to decode my password, are they storing it in plain text, or are they encoding it in a way it can be decoded but only with a secret key? And what method is the best way to encode passwords?

Answered by Highwayman (1482) [earned 5 cycles]
View Answer
Comments
hotnewtop
Highwayman (1482)

If I remember correctly, it's always best to store the hashes of the passwords in an encrypted database. If you are using something that fills in passwords for you, then you're basically just hoping that they use a secure enough encryption algorithm that your unhashed passwords don't get released. Honestly, I'm pretty sure that tools like that break one of the core tenets of encryption tho, so why not just stop using the tool and then never worry about it?

Highwayman (1482)

you should be. At least I think you should be. @ch1ck3n

Baconman321 (1097)

@ch1ck3n Chrome probably encrypts your passwords with your google account password, hence why they ask you to enter your password before viewing them on the chrome settings page.

I bet it is stored by google and backed up by many different algorithms to secure your password as best as possible, as well as them not revealing the encryption methods so they can't reverse-encrypt them even if they get the ciphertext.

nbbcsf (23)

@Highwayman I don't think this is correct. See my answer.

nbbcsf (23)

The website didn't fill it out. Chrome did. See, you enter you password on the client side; Chrome got your password before you summited it and stored it in your browser. The password then went to the website and it was hashed. Chrome did not decode your hash. Chrome simply remembered the plain text version of your password.

Highwayman (1482)

In answer to your above comment:
I'm sure I could very easily be incorrect, but this isn't why. That's his entire point; he is worried about the security of Chrome if it's storing his passwords which are normally hashed as plain-text, its not about it not being hashed on the account's server. it's that it's not hashed on some separate database along with a whole slew of his other passwords. look at his conversation with @Coder100. @nbbcsf

Coder100 (18178)

well
hashes shouldn't be decoded at all
because then its insecure

what people use hashes for is this:

password --> hashing function --> password_hash
user input --> hashing function --> user_hash

then all you do is compare if the hashes are the same, because every password always gives the same hash.

ch1ck3n (2063)

@Coder100 i know

im asking about browsers saving passwords

it needs to decode it in order to put it in my form

RoBlockHead (520)

@ch1ck3n browsers saving passwords isn’t insecure unless your own computer is insecure. It’s not an issue because your browser can’t be accessed from anywhere, but a server can.

ch1ck3n (2063)

@RoBlockHead but what about cloud syncing