Why can't a website just tell you your password instead of resetting it?

You should get a password manager, such as NordPass, and use a different password for each site you visit.
That way, when one site gets compromised your one password doesn't get known to the people who do bad things for a living.
 
You should get a password manager, such as NordPass, and use a different password for each site you visit.
That way, when one site gets compromised your one password doesn't get known to the people who do bad things for a living.
How do they work? When a forum asks for my password, do I now have to logon to this NordPass (using yet another password) and search for and then copy and paste the password into the forum login?
 
When you pick a password, they know what you typed in and can validate that it fits the rules (> 8 chars, mix of letters and numbers etc).

But as mentioned they don't store your password, they store a hashed version of it. Like frying an egg, it's an irreversible change. If you have the original password you can make the hash, but if you have the hash you can't figure out the original.

When it comes to 32 byte hash functions, it's almost impossible for two input passwords to give you the same hash value output.

When you try to login down the road, you type your password, they then hash it using the same function. Then they read the value stored in the database and if the two hashes match, they know you typed your password correctly because again you can only get the same hash if you use the same input.

Why do this? One reason is because if the database is compromised, they won't know your password and can't try to login to other services using your name/email and password.

This is the most simple version, if you're smart when you design your system you also salt your hashes. What salting does, is take a random bit of data (maybe the exact time in milliseconds past 1970) and append that to your original password. Then both those values; your original password and the salt, are used as the input for the hash and the result of hashing that is stored in the database, along with the salt (random bit of data) stored separately. Then when you type your password, they lookup the salt for your name/email, append the salt again to your input password, and test if the hashed value matches the value stored in the database.

Using salt means that your hashed password will never be found in somebody elses database.

If you use your email + same password on my site and on google, and then my site is hacked and they can read my database; they then know what the hashed password is. Though they still can't read what you put in originally, they can run millions of words/phrases into a hash function and build a table. The hash of "test" = "alskdjflkjlkjsdf", the hash of "oil" = "llkjsdflkjslkdfj" etc etc (not real hash values). Then if they see "alskdjflkjlkjsdf" in my database, they look for that value in their table of millions of pre-calculated hashes, and when they get a match they know that your password must have been "test".

However, if you salt your hashes as described above, then they can't lookup "alskdjflkjlkjsdf" in their table and attempt to login to google with your email/password, because every site uses different salts and so your hashed password is different on every database even though you used the same input password.


Edit: for the 6 previous passwords: again, they don't store your unencrypted version of the password, they store the hashed version of the password. When you are forced to type in a new password for the 7th time, they hash your password and get "lkjsldkfjl" (say). Then they look if "lkjsldkfjl" is one of the previous 6 values and if it is, they say "sorry, pick something different".

Edit2: Bottom line: if a site claims to be able to email you your password back, run from it. A secure system will never be able to tell you your password.

Password managers are the only tool that is the exception. They build an encrypted database using a single password. Like a lock box, if you have the one key you can get into the box and read everything stored inside it. The lock box is not storing your hashed password, they are storing your original unhashed passwords. Those values are encrypted using a single password so once you know the master password, you can unencrypt the database and read all your password values.
 
Last edited:
How do they work? When a forum asks for my password, do I now have to logon to this NordPass (using yet another password) and search for and then copy and paste the password into the forum login?
Might be easier for you to use your brower's built-in password manager, that is if they support / offer it. I use Chrome on my laptop, iPhone, and work computer and I "sync" everything.
 
How do they work? When a forum asks for my password, do I now have to logon to this NordPass (using yet another password) and search for and then copy and paste the password into the forum login?
The one I use - BitWarden - and most others:

1) Allow you to log in once and remain logged in unless and until some condition is met (i.e. you manually log out, you log out of your system, you close your browser, etc.; it should be a setting that you can choose).

2) Presuming you are logged in (I just use BitWarden's browser extensions; but they also have a stand-alone desktop and mobile app) the password manager monitors the URL's you visit. When I visit the login page for this forum, for example, the BitWarden icon has a badge on its toolbar icon that says "1", meaning it has found 1 login for this URL. I click the icon, click the account I'd like auto-filled into the login fields at the login page, and we're done.
 
Brave browser is good with passwords. And I use LastPass but that is not as easy to use anymore.
 
Firefox also has a built in password manager and secure password generator that will sync across multiple devices.

If you're in the Apple ecosystem, this is all available to you as part of "keychain" which is in the underpinnings of macOS/iOS etc.

With both services, anymore I often let them generate secure passwords especially for important stuff like banking websites. They'll spit out a random string of letters, numbers, and characters. Good luck remembering it, but it's not a big deal since they save it for you and it's complex enough that if you gave a hacker a year of unfettered trials I doubt they'd be able to guess it.
 
I've received passwords directly when I did a password recovery. These days I think it would normally be via encrypted pages. So some websites do send the password directly without needing to reset it along with a temporary password.
 
I've received passwords directly when I did a password recovery. These days I think it would normally be via encrypted pages. So some websites do send the password directly without needing to reset it along with a temporary password.
Only Bush League websites still store your password. Don't ever put anything important on a website that does.
 
Can you elaborate on what you mean by this?

Almost all web pages and web traffic are encrypted these days using public key encryption. That’s why we feel comfortable just entering passwords or even credit card information. Theoretically just displaying the password as a result of a password recovery shouldn’t require a reset. A lot of times when I do a reset password procedure, it’s a temporary password sent vis unencrypted email. The idea is that it’s done quickly and requires a new password be specified when signing in with the temp password.
 
No. I’ve seen a few that actually display the password (via encrypted webpage) after answering challenge questions.
Haven't seen that in ages. When I've seen challenge questions, once answered correctly, then some sites allow you to change your password without having to use email with a temporary password.
 
Almost all web pages and web traffic are encrypted these days using public key encryption. That’s why we feel comfortable just entering passwords or even credit card information. Theoretically just displaying the password as a result of a password recovery shouldn’t require a reset. A lot of times when I do a reset password procedure, it’s a temporary password sent vis unencrypted email. The idea is that it’s done quickly and requires a new password be specified when signing in with the temp password.

They can definitely email you a temporary password. That's fine. As long as they force you to type a new one in immediately afterwards.

The problem isn't http vs https (although definitely make sure https is used when typing in sensitive information), the problem is how do they store your password in their database.

If it's a permanent password, and they can email it to you, run from that site and/or never use that password on any other site. That means they're storing your password in a format that is able to be read by hackers if/once they gain access.
 
Back
Top