How do big companies know my password when they say they’re not storing it


As the title reads. When I try to change my password to an old one on for example office, the App Store or Netflix it tells me I can’t use a previous password. How can they have that information, without storing it?

In: 2257

They store the hash of your password.

Basically, if your password was “password123”, they would put it through a series of standardized computations to arrive at some hash value like 456732543672. It’s impossible to derive the original password from that hash, but if you’re entering it again, it will again be computed into a hash and then check if the hashes match.

They don’t store the password in clear text. They only have a “Hash” of your password, wich is a function that has a random looking but clearly defined output for each input.

So your password is 12345, and they hash it to

5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5 (SHA256 hash function)

If you try the same password it matches that hash. But it’s impossible to find out wich password you have from the hash because it isn’t unique. Some other password might have the same hash (and for good hash functions it’s also very hard to find these “collisions”)

Remember [this scene]( from the Simpsons? Think of Skinner as your password. His shadow/silhouette is your password stored as a ‘hash’ as others have already explained in this thread. Companies only save the picture of Skinners silhouette (the pictures on the wall). It is virtually impossible to recreate a picture of Skinner from the silhouette. But if Skinner gets in front of his silhouette, the contours match up perfectly and the company knows it’s him without possessing an actual picture to compare.

So…let’s say a website asks me to create a password that is at least 8 characters long, has upper, lower, numbers and a ‘special’ character; if I enter ‘Pa55w0rd’ then it would reject this as it does not contain a ‘special’ character.

If the website is not checking my password in plaintext but via hashing, how does it know that my password does not meet their password policy (missing a special character)?


They store a hash, the password should never be recoverable. If they ever send you your password in an email when you ask for a reset, leave, and never come back. it means they store it in reversible form, which is a serious no no.