The next time you sign up for a website or you click on the ‘Forgotten password’ link and they email you your password…. run! Delete your account and don’t use them.
Let me explain why.
Here’s how a secure website will deal with passwords…
- When you sign up and enter your password, the site takes your password and creates a ‘hash’. A hash is like encryption but there isn’t an easy way to reverse (or decrypt) the result.
- The hash is then stored, by the website, on their database. They should NEVER store your un-hashed password.
- When you try and sign in, you type in your password, they hash what you type and then compare it to their database entry. If they match, it’s the correct password.
- If you click on ‘Forgotten password’ because you don’t know your password, they should have to send you a link so you can reset yours (i.e. start again). Your new password will be hashed and will overwrite your old one in their database.
So, if a site sends you your password then this means they’re storing it, either in plain text or encrypted (probably lightly), in their database. The thing about encryption is that all you need to know is the ‘key’ to be able to decrypt it – if a hacker has gained access to a website’s database, then there’s a good chance they either know the key too or it probably won’t be too hard for them to crack it.
Be safe online and bear in mind that you can’t always trust the websites to do the right thing.