How Personal lets you login…without storing your password


Since we launched our open beta last month, we’ve received valuable feedback and good questions from people, including these: “Does Personal really not store a copy of my password? And, if you don’t store my password, how do you know it’s really me when I log in?”

Very understandable.  After all, you provide your username and password to log into Personal. It may seem like magic – or just hard to believe that we wouldn’t store a copy of your password – but it actually comes down to a little bit of very smart math.

In cryptography, there is a set of functions that comprise a Secure Hash Algorithm, or SHA, designed by the National Security Agency.  SHA functions are used with your password to produce a hash, or a long string of letters and numbers, that Personal stores for comparison with the password you enter, but cannot be used to reverse engineer your password. (If you want to get deeper into it, this Wikipedia article will help.)

Here’s an example:

Let’s say this is the password you’ve chosen to use on Personal: $aGuhetE4e6E5e%a.

When you register for Personal, we will take that password, apply the SHA functions and hash it like so:

SHA-256($aGuhetE4e6E5e%a) = 7313c5fdbe55eccd01e857cb64c5784d569f342f191d118dfffcbc8c748d37d7

This long string of characters is known as the hash. Only the hash is stored in the database. We never store your actual password, and it cannot be reverse-engineered from the hash.

The next time you come to Personal, you’ll enter your username and password again and Personal will simply hash Login screenthe newly-entered password. We then compare the  two hashes (the stored one and the entered one) to determine if they match. If so, we allow the login. If the passwords don’t match, we know to reject the login attempt.

This is just one of many security concepts and best practices that Personal uses in conjunction with a SHA-256 password hash to keep your sensitive information safe and accessible by only you and those to whom you grant access.

Do you have a question?  Let us know in the comments and subscribe to our RSS to get notified when we post more on these topics.

More about Tarik
Written by: Tarik on December 12, 2011.
Last revised by: Katie on May 7, 2012.
Tagged in: ,
Tarik

By Tarik Kurspahic in Inside Personal

December 12, 2011

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>