What's all this about?

Some websites and computer systems stores your personal password in a clear text format. There are no reason why a website would require to have a clear text copy of your password. Instead they can and should store just an non-reversible hash of your password.

This is important because most users reuse their password across services. When the weakest link has a problem, your password could be exposed to third parties.

Example

If your password is "P@sswrd321", an insecure way of storing this information would be to store the password directly in the database.

Instead of storing the password in clear text, the system could generate an hash value and store that. This would make it much harder for anyone to guess the users passwords - if they had access to the database.

Here is the example hash of the above password: d9493bfe15ef8ff5889da34e4ecc490a. When the password is stored like this, it will be much harder to find the original password.

Hash algorithms

There are many types of algoritms available for different platforms. Since the best practices is always changing encryption routines improve, we won't give any specific answer to which one to choose.

 Check with your platform provider and community to find the best way to keep your users security on top.

We want to give one tip, which is to avoid using MD5 hashes. MD5 has previously been one of the most widely used algoritms, but have recently been shown to have weaknesses and it's not a very strong hash. There are other weak hashes, make sure you pick one which is considered safe and strong.

Awareness

By bringing understanding and awareness to this problem in the industry we hope that we can help improve the status-quo of passwords stored in computer systems.

It is not in our intention to black-list anyone on this site, only to notify users so they won't run the risk of having their accounts and personal passwords compromised.