Several companies have recently admitted to storing passwords in plain-text format.

That’s like storing a password in Notepad and saving it as a .txt file.

Passwords should be salted and hashed for security, so why isn’t that happening in 2019?

Android Auto taskbar-1

If a hacker gains access to the file, they can see all the passwords.

Storing passwords in plain text is a terrible practice.

Typically that means even if someone steals the passwords out of a database, they’re unusable.

Person wearing the Apple Watch Series 10

So why do companies store passwords in plaintext?

Unfortunately, sometimes the companies don’t take security seriously.

Or they choose to compromise security in the name of convenience.

Google Pixel 9a laying on a table.

In other cases, the company does everything right when storing your password.

But they might add overzealous logging capabilities, which record passwords in plain text.

In the case of Google, the company was adequately hashing and salting passwords for most users.

Article image

ButG Suite Enterprise account passwordswere stored in plain text.

The company said this was left-over practice from when it gave domain administrators tools to recover passwords.

Had Google properly stored the passwords, that wouldn’t have been possible.

My Password123456 written on a post-it note and stuck to a computer.

Gorodenkoff/Shutterstock

Only a password reset process works for recovery when passwords are correctly stored.

When Facebook alsoadmitted to storing passwordsin plain text, it didn’t give the exact cause of the problem.

Sometimes a company will do everything right when initially storing your password.

A man standing in a data center.

Gorodenkoff/Shutterstock

And then add new features that cause problems.

Besides Facebook,Robinhood,Github, andTwitteraccidentally logged plain text passwords.

Logging is useful for finding issues in apps, hardware, and even system code.

Lastpass login screen with username and password filled out.

It then stored those logs elsewhere.

Anyone who had access to those logs had everything they need to take over an account.

The company did delete those tweets and later announced thatall passwords would soon be salted and hashed.

But it wasn’t all that long before the companysomeone had breached its systems.

T-Mobile said that the stolen passwords were encrypted, but that’s not as good as hashing passwords.

How Companies Should Be Storing Passwords

Companies should never store plain text passwords.

Instead, passwords should besalted, then hashed.

It’s important to know what salting is, and the difference betweenencrypting and hashing.

Salting Adds Extra Text to Your Password

Salting passwords is a straight forward concept.

The process essentially adds extra text to the password you provided.

Think of it like adding numbers and letters to the end of your regular password.

Salting is a similar concept: before the system hashes your password, it adds extra text to it.

The hacker won’t know which part is salt, and which part is password.

Companies shouldn’t reuse salted data from password to password.

Otherwise, it can be stolen or broken and thus made useless.

Appropriately varying salted data also prevents collisions (more on that later).

Hashing shouldn’t be confused with encryption.

When you encrypt data, you transform it slightly based on a key.

If someone knows the key, they can change the data back.

Knowing that “A=C,” you then can find out that message was just an Ovaltine commercial.

Anyone looking at a hash would see gibberish.

That nature of hashing makes it a better method for storing your password than encryption.

Whereas you might decrypt encrypted data, you might’t “unhash” data.

Instead, they’ll have to do what a company does when you submit your password.

When you submit your password to Google or your Bank, they follow the same steps.

Some companies, like Facebook, may even takeextra “guesses” to account for a typo.

That outcome is called a collision.

That’s another reason to add salt that changes from password to password.

An adequately salted and hashed password won’t have any matches.

The process still takes time, which gives you time to protect yourself.

And unfortunately, it’s more common than it should be.

Given that reality, you should never reuse passwords.

Instead, you should provide adifferent complicated passwordto every service you use.

By making the password more complicated, you’re buying time to minimize the damage.

Using unique passwords also minimizes that damage.

Complicated passwords are hard to remember, so werecommend a password manager.

Some, likeLastPassand1Password, even offer services that verify if your current passwords are compromised.

Another good option is toenable two-step authentication.

Related:Why You Should Use a Password Manager, and How to Get Started