How do we securely store your passwords?

To secure passwords, this platform uses a robust hashing function known as Argon2 , which is the winner of the 2015 Password Hashing Competition and is still recognized as one of the strongest security standards today.

No one, including the platform admins, can see or obtain your password, even with full access to the user database or in the case of a database leak.

That's also why we can't give your password back if you forget it.

Here is an explanation on how we secure them:

When creating your account, the system will create for your user a piece of randomly generated text, called the "salt", which will be added at the end of your password.

Then, we take the password followed by the salt, which is the "salted password", and apply a hashing algorithm on it, which is built with cryptography in mind.

Hashing is a one way process, which will take the given data as an input, and will generate its "hash", which cannot be turned back into the original password, but putting the same salted password as an input will output the exact same hash, and that is how we know if the password is correct when you try to log in.

Inside the database, we only store your identification informations, which are the username, email, and eventually other identification informations provided by you, and we then store for each user the hash from the salted password, along with the salt.

This way, your original password will never be directly visible nor obtainable from the database.

This method secures your password against most attacks, including:

• Database leaks: your password isn't directly obtainable from the database, even with full access to it.
• Rainbow table attacks: this attack consists of trying to see if the hash of the most common passwords matches with one of the registered users. But since each user has a unique salt added at the end of the password before hashing, a generic rainbow table attack would be completely inefficient.
• Matching users with same password: again, since each user has a unique salt, two users with the same exact password will have different hashes associated with their account in the database, therefore preventing attackers from directly knowing if two or more users share the same password.
• Brute force attacks: the hashing algorithm used to transform the passwords has a high work factor, meaning that it takes time to hash a password and check if the output hash is the same as the one from the database. When a user tries to log in with a password, this delay is almost unnoticeable, but in the case of a brute force attack where the attacker is testing a lot of different possible passwords, the attack will be rendered almost inefficient as it takes way too long to try a lot of different passwords.
• Hashing collision attacks: when two different passwords are passed to a hashing algorithm and give the same output hash, this is called a hashing collision. However, the hashing algorithm we use has a very high collision resistance, meaning that it's impossible with today's means to develop a method aiming to find a hashing collision, so it's impossible in practice for someone to log into your account using a different password from the one you set.

Moreover, all of these procedures aiming to securely store and check your passwords are handled by Django's backend, which is a well known, trustable and secure framework used by huge companies around the world.

For more informations on how Django's backend manages the passwords with the above methods, you can go on this page.