Here's a quick explanation on passwords and the various mechanisms used to protect them.
Method 1: Plain Text Passwords
The most simple way of storing a password is... well exactly as it is. What this means is that the string "password" is stored somewhere in a database in it's same human readable form "password". Whenever your credentials are entered to login a server they are verified against the database to ensure that they match. If your thinking it.. you aren't being bias at all.. This is the worst possible method, in terms of security and most reputable servers do not store passwords in plain text. If this database was to be hacked, everyone's password is immediately compromised.
METHOD: UNSAFE.
Method 2: Basic Password Encryption
Encryptions are used to add more protection to your passwords. Encryption, for those of you that don't know, uses a special key to turn your password into a random string of text. If a hacker were to obtain this string of random text, it would be useless unless they were to have the key, which they could then use to decrypt the encrypted password.
The problem is, the key is often stored on the very same server that the passwords are, so if the servers get hacked, a hacker doesn't have to do much work to decrypt all the passwords, which means this method is still wildly insecure.
METHOD: UNSAFE.
Method 3: Hashed Passwords
Hashed Passwords can be considered the same as encryption in the sense that it turns your password into a long string of letters and numbers to keep your password hidden. However unlike encryption the algorithm cannot be ran backwards to obtain the password. A hacker would now have to obtain the hash and then try a different number of password combinations until one works.
However as we all know... to every rule there is an exception. A hacker may not be able to decode a hash back to the original password but they can try many different passwords until one matches the hash they have. As we know computers are very fast and hence; computers can do this very fast, especially because to something called rainbow tables they can just look up the hash to see if it's already been discovered.
Try typing e38ad214943daad1d64c102faec29de4afe9da3d into Google. You'll quickly find that it's the SHA-1 hash for "password1". For more information on how rainbow tables work, check out this article by coding guru Jeff Atwood on the .
METHOD: UNSAFE.
Method 4: Hashed Passwords with a Dash of Salt
A Salt is a random string of characters.
Salting a password means adding a random string of characters (salt) to the beginning or end of your password before hashing it. A different salt is used for each password, and even if the salts are stored on the same servers, it will make it very hard to find those salted hashes in the rainbow tables, since each one is long, complex, and unique.
METHOD: SECURE.
Method 5: Slow Hashes
Hash functions like MD5, SHA-1, and SHA-256 are relatively fast: if you type in a password, it will return the results fairly quickly. In a brute force attack, time is the most important factor. By using a slower has like the bcrypt algorithm brute force attacks take much, much longer, since each password takes more time to compute.
METHOD: EXTREMELY SECURE.
Why does the length of my password matter?
Strong passwords are harder to brute force. A long password can definitely help you out here. Once your password is strong, it should take a very, very long time to discover with a slow hash.