Password management 101 for non-technical users

Updated: Jan 4, 2020

First and foremost passwords should never be sent from the user's computer to the server in plain text. Some sort of hashing (I'll explain what that is later) on the part of the user-facing part of the system is required when sending data over to prevent people spying on the communication passing through the routers, or at least make their life much more difficult. This means the server has no way of knowing what the original password is by the time it receives it.

Next, when the "messed up" password is received by the server, it will have to hash it again. Hashing means taking the data and putting it through an algorithm to generate a random bunch of characters. It differs from encryption in that it's one-way - which means that while you can de-encrypt an encrypted text, you can't de-hash a hashed text.

An additional layer of security termed salting might be applied too. This is basically a bunch of random characters that are generated for and unique to every user (called a salt). The primary purpose of implementing the salt is to mix this with the original "messed up" password received by the server before it is being hashed. Reason being, if a hacker accesses the database and downloads caches of passwords which were hashed yet not salted, identifying a batch of exactly similar ones will automatically reveal that the original passwords are the same for all those users - more often than not common passwords like "Password1" (capital P password 1 - sounds familiar?). This salt can be stored