Website Passwords Visible? Secure Them Now

TL;DR

Seeing encrypted passwords as a website admin isn’t necessarily okay. It depends on how they’re stored. Modern systems should use strong hashing and salting, making the passwords unreadable even to you. If you see plain text or weak encryption, your site is vulnerable. This guide explains how to check and fix it.

Understanding Password Storage

When users create accounts on your website, their passwords shouldn’t be stored as they are typed. Instead, they should be transformed into a secure format using a process called hashing. Here’s what you need to know:

• Hashing: A one-way function that turns the password into a string of characters. You can’t get the original password back from the hash.
• Salting: Adding a random string (the ‘salt’) to each password before hashing. This makes it harder for attackers using pre-calculated tables of common passwords and their hashes (rainbow tables).

If you see something that looks like the original password, or a short, easily guessable hash without a salt, your site is at risk.

Checking Your Password Storage

1. Database Inspection: Access your website’s database (usually through phpMyAdmin or a similar tool).
2. Identify the Password Field: Find the table storing user accounts and locate the column that holds passwords. Common names include ‘password’, ‘pass’, or ‘hashed_password’.
3. Examine Sample Passwords: Look at several entries in this field. What do you see?

• Plain Text: If you see actual passwords, your site is extremely vulnerable. Skip to step 4 (Immediate Action).
• Short Hashes (e.g., MD5, SHA1): These are outdated and easily cracked. Skip to step 4 (Immediate Action).
• Long Hashes (60+ characters) with Random Strings: This is a good sign – likely bcrypt, Argon2, or scrypt. It’s still worth verifying the algorithm used (see step 3).

Verifying Hashing Algorithm

If you suspect strong hashing but aren’t sure, check your website’s code.

1. Locate Password Hashing Code: Search for the function used to hash passwords. Common functions include:
   • PHP: password_hash() and password_verify()
   • Python (Django): create_password_hash() and check_password_hash()
   • Node.js (bcrypt): The bcrypt library functions.
2. Example PHP Code:

3. Check for Salt Usage: Ensure the hashing function automatically handles salting (most modern ones do). If you’re using an older library, verify salt generation and storage.

Immediate Action – Vulnerable Passwords

If you found plain text passwords or weak hashes, take these steps immediately:

1. Force Password Reset: Require all users to reset their passwords. This is the fastest way to invalidate compromised credentials.
   • Most website platforms have a built-in ‘force password reset’ feature.
2. Update Hashing Algorithm: Replace your current hashing method with a strong algorithm like bcrypt, Argon2, or scrypt. password_hash() in PHP is a good starting point.
3. Database Audit: Review your database for any other sensitive data that might be stored insecurely.
4. Security Scan: Run a cyber security vulnerability scan on your website to identify and address other potential weaknesses.

Ongoing Security Best Practices

• Regular Updates: Keep your website platform, plugins, and libraries up-to-date. Updates often include security fixes.
• Two-Factor Authentication (2FA): Encourage users to enable 2FA for an extra layer of protection.
• Rate Limiting: Implement rate limiting on login attempts to prevent brute-force attacks.