Security can be granted through a few different avenues.

– Something only you know (password, ssn+dob, a series of extremely personal questions/answers)
– Something only you have access to (an email account)
– Something only you hold (cellphone, usb key)

We use passwords because opening an email, or responding to a text message every time you wanted to login is a huge pain. And that “remember me on this device” checkbox is actually a form of ‘something you hold’.

If you don’t know your password the service verifies “you are you” by sending the reset link to your email address.

Critical services like banking or healthcare often require even more validation, like inputting a code texted to your personal cellphone.
(Something only you have access to + something only you physically hold)

Once they’ve validated that you are who you are, the backend process is really simple. You submit your password, they shove it through an algorithm to generate a (almost) unique id, then that hash is saved over your old password.

Some places keep track of the last X hashes so they can say “you’ve already used this one”.

Some BAD companies store passwords exactly as you input them, which leave you exposed if they’re hacked & you reused the password.