Neither does anyone else - if they are legitimate.
The news about user accounts being stolen from Google,
Home
Depot, and others, it can be very unnerving. However, good sites don't
actually store passwords. They only store a representation of them. Even if
your information is stolen, it doesn't mean your password is exposed.
How it works
Digging Deeper
There are a number of techniques used, but they all use the
same basic premise. Here is one of the most common techniques.
When you put in your password into an online account, the
password is run through an algorithm. That is, a mathematical calculation is performed.
The result is what is saved in the database instead of your password.
The cool part - (getting a bit geeky here)
The result of these mathematical algorithms (you should drop
that phrase at your next party), is called a hash. If you use the same type of technique very time, then the
same string of characters will always result in the same hash.
For example, using one technique, the password "qwerty123" will always be converted
to the hash "2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=".
If you use a better password, like "Five5For5Fighting!Google",
you get the hash "gsOnlRB5/7LGOSyNTnQjjolSpqumI9UsT5/uNYgnM6A=".
It is this longer string that is saved in the database. If a
hacker steals the database information, they can't tell by looking at the hash
what your password is. Hashes can't be reversed.
To find out if you used the right password, the website
simply runs the same algorithm to check the password. If it matches the hash in
the database, you used the right password.
Putting the hash in the password field would result in a completely
different hash, so it wouldn't work. So, if you were to put in the qwerty123
hash (2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=) in the password field, you
actually get "G4AAO88pl0kITda+I20eX69Pxk6lHGFzfC3l53NF2Ew="
back. It doesn't match, so the hacker can't get in.
Getting a bit more secure
To make things even more difficult for hackers, websites use
what is called a salt. This is a
string of random characters only the site/database owner knows. This is added
to your password before it is turned into a hash. Even if the hacker knows what
algorithm is used, without the salt, the hacker can't figure out what the hash
should be.
With the salt, the whole thing is really pretty sweet.
What we do at MSC Southeast
More robust systems, such as ours, don't use this technique
specifically. We have the benefit of our StarID system. We don't store your
password, or its hash. Instead, we have a connection that validates your StarID/password
with the State's StarID system.
This is a similar technique used by other government
agencies. It allows us to greatly insulate your information from hackers.
Final thought
The techniques outlined above are used by professionals in the Web and security
industries. Some, less professional, sites don't use these techniques at all.
It is hard to tell what sites use these techniques and which
do not. This is why you should never reuse passwords. If they get
your password in one place, it shouldn't work anywhere else - they will
certainly try!
Extra links
Find out if your Gmail has been hacked by reading 3 Ways to Check if Your Gmail is Hacked.
Learn about Google's Security Settings
(you need to log in first).