How websites check your password

(without knowing what it is)
Password field with a magnifying glass.

When you visit a website and enter a password (or autofill one from your password manager), have you ever wondered what happens behind the scenes?

In other words, how does the website know if the password you’ve entered matches the password they’ve stored?

The answer has to do with how it stores your password, and it involves a clever technique called hashing.

What’s wrong with plaintext passwords

Let’s think of a website’s user database as if it were a spreadsheet. Each row represents one user, and there are two columns: username and password.

To check if a user has entered the right password, you could look up the entered username and check if that row’s password column matches the entered password.

Seems pretty simple, right? Unfortunately, a database like this—where passwords are stored in plaintext—would be a security disaster in real life.

That’s because an attacker would only have to gain access to this one database to gain access to every user’s passwords. And it wouldn’t just be their data on this website that would be compromised. They’d be able to try all the username/password combos on other websites. People tend to reuse the same passwords, so they’d probably succeed.

Why hashing is safer

To protect users, most modern websites hash their passwords before storing them.

Different passwords hashed to form seemingly random strings of characters.

Hashing, like encryption, is a process that converts any string of data into a seemingly random, unreadable string of data. Unlike encryption, however, hashing cannot be undone. There is no “key” that can be used to “de-hash” a hashed password. It is, in mathematical terms, a one-way function.

Storing passwords in hashed form is therefore safer because the hash cannot be reversed into the original password. In practice, it’s a little more complicated than this—check out our blog post on salting and hashing to learn more—but the gist is that hashing allows websites to remain ignorant of what your actual password is.

This is why websites force you to create a new password when you forget your old one. They can’t simply tell you your current password because they’ve only stored the hash. In fact, if a website is able to send you your current password after you’ve forgotten it, that’s a clear indication the website has very poor security.

How websites check (hashed) passwords

If a website only stores hashed passwords, then how can it check if the password you’ve entered is correct?

By checking the hash of what you’ve entered against the stored password hash.

Hashing has the important property that if two strings do not match—even if they differ by only one character—their hashes will look completely different. Only two strings that match exactly will have matching hashes.* Therefore, if the hash of what a user enters in the password field matches the hash associated with that user in the database, the website knows the password was entered correctly.

Now that you know how websites store (and check) your passwords with hashes, don’t let that stop you from making your own passwords as strong as possible. Use our random password generator to create strong passwords quickly and securely.

*Actually, this isn’t strictly true. Two strings could theoretically have the same hash, which is called a hash collision. But with the now-standard SHA family of hash functions, collisions are so rare and unpredictable that they are generally ignored.

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?