EN KR

Why Websites Don’t Store Your Password: Hashing Explained

Websites never store your password in plain text. Instead, they save a one-way “hash” — a fixed-length fingerprint that can’t be reversed. Even if a database leaks, hashing (plus salt) helps keep your real password hidden.

Concept illustration of password hashing

When we log in to a website, the password we type is never stored in plain text. If a server were to save passwords exactly as entered, it would mean that any administrator or hacker with access to the database could read them directly — a serious security risk.

To prevent this, servers use a process called encryption, or more precisely in this case, hashing, to transform your password into a completely different form before saving it.

What Is a Hash?

A hash function is a one-way mathematical formula. When a password is entered, the hash function converts it into a fixed-length string of characters — a sort of digital fingerprint.

For example, even though “1234” may seem simple, when processed through a hash function, it could become something like “ab23cf9d72…”. The key point is that this transformation is irreversible — there’s no way to reconstruct the original “1234” from that hash value.

That’s why we call it “one-way encryption.” It only goes in one direction: from password → hash.

One-way hashing concept

How Login Verification Works

When you first register, the server takes your password, hashes it, and stores only the hash value in its database. Later, when you try to log in again, the password you enter is hashed once more, and the system simply checks if this new hash matches the one previously stored.

This means the server never needs to know your real password — it only compares two hash values. If they are identical, the server concludes that the passwords match, and access is granted.

Why This Matters for Security

Even if a hacker breaks into the database and steals all the password records, what they’ll find are unreadable hash strings, not the actual passwords. Without knowing the original text, those hashes are useless — a hacker would have to try millions or billions of guesses to find a match, a process called brute-forcing.

Modern systems make this even harder by using additional security layers like salting (adding random data before hashing), so that even identical passwords don’t produce the same hash.

In short, hashing acts as a digital shield — protecting your personal information from being exposed even if the database itself is compromised. Thanks to this one-way encryption, your password remains invisible, even to the people running the system.

You can view the original blog post in Korean at the links below:

View in Korean