Not All Password Storage Is Created Equal
When you create an account on a website, your password needs to be stored so it can be verified when you log in. How a service stores that password makes an enormous difference in what happens if their database is ever breached.
Plaintext: The Worst Case
Some services have been caught storing passwords with no protection at all. If the database is breached, every password is immediately available. Services like VK.com, Rambler.ru, and Fling.com were all found storing passwords in plaintext.
MD5 and SHA1: Broken But Still Common
MD5 and SHA1 are hash functions that convert passwords into fixed-length strings. However, they were designed for speed, which makes them terrible for password storage. Modern GPUs can compute billions of MD5 hashes per second, meaning most passwords can be cracked in minutes.
Services like LinkedIn (SHA1), Last.fm (MD5), and Badoo (MD5) all used these weak algorithms.
Salting: An Important Addition
A salt is a random value added to each password before hashing. This prevents attackers from using precomputed tables (rainbow tables) and ensures that identical passwords produce different hashes. Salted SHA1 is better than unsalted, but still not ideal.
Bcrypt, Scrypt, and Argon2: The Gold Standard
Modern password hashing algorithms like bcrypt, scrypt, and Argon2 are specifically designed to be slow and resource-intensive. This intentional slowness means that even with powerful hardware, cracking passwords is impractical at scale.
Dropbox used bcrypt for half its passwords at the time of its breach, which is why those accounts were significantly more secure.
What This Means for You
You can't control how services store your password, but you can:
- Use unique passwords so a breach at one service doesn't compromise others
- Use a password manager to generate and store strong, unique passwords
- Enable two-factor authentication as an additional security layer
- Check your breach exposure regularly at LeakedSource