Since we launched our open beta last month, we’ve received valuable feedback and good questions from people, including these: “Does Personal really not store a copy of my password? And, if you don’t store my password, how do you know it’s really me when I log in?”
Very understandable. After all, you provide your username and password to log into Personal. It may seem like magic – or just hard to believe that we wouldn’t store a copy of your password – but it actually comes down to a little bit of very smart math.
In cryptography, there is a set of functions that comprise a Secure Hash Algorithm, or SHA, designed by the National Security Agency. SHA functions are used with your password to produce a hash, or a long string of letters and numbers, that Personal stores for comparison with the password you enter, but cannot be used to reverse engineer your password. (If you want to get deeper into it, this Wikipedia article will help.)
Here’s an example:
Let’s say this is the password you’ve chosen to use on Personal: $aGuhetE4e6E5e%a.
When you register for Personal, we will take that password, apply the SHA functions and hash it like so:
SHA-256($aGuhetE4e6E5e%a) = 7313c5fdbe55eccd01e857cb64c5784d569f342f191d118dfffcbc8c748d37d7
This long string of characters is known as the hash. Only the hash is stored in the database. We never store your actual password, and it cannot be reverse-engineered from the hash.
The next time you come to Personal, you’ll enter your username and password again and Personal will simply hash the newly-entered password. We then compare the two hashes (the stored one and the entered one) to determine if they match. If so, we allow the login. If the passwords don’t match, we know to reject the login attempt.
This is just one of many security concepts and best practices that Personal uses in conjunction with a SHA-256 password hash to keep your sensitive information safe and accessible by only you and those to whom you grant access.
Do you have a question? Let us know in the comments and subscribe to our RSS to get notified when we post more on these topics.