Password Hashing and You
Password Hashing and You

Whenever you create a password on a website that has good security, that password is sent over the internet to a web server (or stored in your computer's memory) for only a few seconds. The password should never be written to disk. It should always be hashed first. A cryptographic hash function is a one-way function that always has the same output. For example, if I put in the string "Hello" into the SHA2-256 hashing function, I would get:  185F8DB32271FE25F561A6FC938B2E264306EC304EDA518007D1764826381969.   This will always be the same, but you can't get Hello back from that long string. That means that when a tech company stores your password, they don't actually need to know the password to check if it's correct- they can check if the hash is the same.

However, basic hashes are vulnerable to "Rainbow Tables", which are lists of hashes of every combination of characters up to a certain length, or all the dictionary words, or simply common passwords.   These take a long time to generate, due to the complexity of the SHA256 function and the sheer number of possible combinations but can be used to get the original password with a simple database lookup. To combat this, good password hashing systems also use a salt, a string stored alongside the hash in the database and added to the password each time it is hashed. If a password was "123456789", the company could randomly generate the salt as "AANIunboadg", and then hash "AANIunboadg123456789" rather than just "123456789".   This makes rainbow tables useless, as each password has some random component to it and you would have to calculate a rainbow table for each individual salt. This would take far longer and be essentially impossible.   You can make this more difficult with a Pepper, which simply encrypts each the passwords with a standard secret key that is very important to keep safe. All of these together protect your password well, even in the event of a data breach. Not to say you shouldn't change your password after you've been in a data breach!   Salts and hashing are a very powerful way to keep your original password out of reach of attackers.