Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security Security Literacy Common Attacks and Defenses The Dangers of Passwords (part 2)

Shafiq Mohammed
Shafiq Mohammed
1,507 Points

Does a security breach from one website really mean that other websites where you used the same password becomes unsafe?

So in this lecture, we learn that even if we have a 20 digit password, if we use that password in multiple places, one leak can mean a compromise of that password.

But my question is--is that really the case? Most websites store a Hash of the password, and not the password itself in plain-text. So even if the security is breached, only the password hash is leaked and not the password itself. Is that assumption valid?

I realize some websites would be insecure and store passwords as plaintext, but you may have a common password for say, all banks, and banks are highly likely to never commit such a mistake, right?

3 Answers

Steven Parker
Steven Parker
224,865 Points

You're still making an assumption there, but you're partly right. If proper precautions have been taken to only store passwords in salted hashes, that will greatly increase the complexity of decrypting the passwords. But the risk would still exist if for some reason the hacker concentrated efforts to decrypt your password, and once they have identified it they could use it to access your other accounts.

The best precaution is regardless of the password strength (or how it is stored — if that's knowable) just just never use the exact same password in more than one place.

Right like Steven says. You always have to be proactive especially if they don't salt the hashes, you can still be vulnerable by brute force techniques, where every possible combination is tried. So its safe to never assume. I've heard of some companies using master keys to encrypt user passwords with capabilities to decrypt them.

Greg Stromire
Greg Stromire
Treehouse Guest Teacher

Good points about password hashing! I would also add we don't always know the full extent of password breaches. We can end up with several outcomes:

  1. Only password hashes are exposed -- this is still a breach considering things like "rainbow tables" that can essentially circumvent some hashing.
  2. Plaintext passwords are exposed, but no usernames attached -- could be poor security implementation or another reason. This kind of data can be added to password cracking tools as "known passwords" to try first.
  3. Username and password combinations are exposed -- this info is often sold by hackers and is not often publicized. The most info we may receive from a breached service is a notification suggesting us to change our password. Again, better to be unique to avoid all of this in the first place.