What is password encryption, and how does it work?

Password encryption is the process of converting the password you enter for a website into a form that can be safely stored or transferred. Password encryption is one way to protect your credentials in the event of a data breach — even if hackers manage to break into the password storage server, all they’ll get is useless gibberish.

You need both a strong password and password encryption if you want your account to be safe. A strong password stops hackers from breaking through your account’s front door using brute force, while password encryption or hashing makes sure there’s no spare key for them to find beneath the welcome mat.

In simple terms, password encryption works by using an encryption key to transform your plaintext password (the actual sequence of characters you type in) into ciphertext (the resulting random characters you get). The resulting ciphertext version of your password can then be safely stored on a server, saved to a password manager, or sent somewhere else.

Password encryption is a reversible process — with the proper decryption key, it is possible to turn ciphertext back into your plaintext password. Because encryption and decryption keys are unique to each individual account, you must protect them to prevent anyone from deciphering your credentials.

Broadly speaking, password encryption techniques can be broken down into four main categories.

Symmetric encryption

Symmetric encryption (also known as “secret key encryption”) uses the same cryptographic key for both encryption and decryption. The encryption client first creates a secret key, then divides the plaintext password into fixed-size blocks, and finally runs each block through a symmetric encryption algorithm using the generated key to get a corresponding block of ciphertext. Block and stream ciphers are among the most widely used symmetric encryption methods.

In symmetric encryption, the easiest way for hackers to steal your password is to simply steal your secret key. It is crucial that all parties involved in symmetric encryption (including the password storage server) keep the secret key separate from the encrypted password — and only share the key with others if it is absolutely necessary.

Asymmetric encryption

Asymmetric encryption (also known as “public-key encryption”) uses a pair of related keys — a public key for encryption and a private key for decryption. The public key is made freely available to anyone wishing to send data securely to the holder of the private key.

While exceptionally secure, asymmetric encryption is also much slower than symmetric encryption. This means it is not commonly used to directly encrypt files — rather, asymmetric encryption is often employed to safely exchange keys between parties for symmetric encryption.

Symmetric and asymmetric encryption are used for secure password storage solutions (such as a reliable password manager, like NordPass) — for authentication, servers employ a process called “hashing.”

Hashing

Strictly speaking, hashing is not the same as password encryption, although the two concepts are close enough that the terms have become synonymous in popular discourse.

Like with straightforward password encryption, hashing transforms a plaintext password into a string of random characters known as the “hash.” This process is repeated every time you log in — the hash value of the password you enter is compared to the stored hash value to determine whether you’re the rightful owner of the account.

That’s where the similarities with password encryption end, however — unlike the latter, hashing is a one-way function. There is no way to reverse the process and turn the hash back into your original password.

Salting

Salting is a way to address one glaring weakness of password hashing — the fact that identical passwords produce identical hashes on the same server. Given enough incentive and time, hackers can guess the plaintext values of stolen hashes through rainbow table attacks and dictionary attacks.

That’s where password salting comes in. Salting adds random characters to the front or back of a plaintext password before it’s fed into the hashing algorithm, ensuring that even identical passwords produce unique hashes. Hackers have a much harder time trying to deduce the original text from hashed and salted passwords.

So, to summarize: hashing and salting are irreversible functions used for user authentication, while asymmetric and symmetric encryption are reversible processes used by password storage solutions.

Any cryptographic algorithm can be used for password encryption, each offering its own advantages and downsides. However, four algorithms in particular feature prominently in modern password security.

• Advanced Encryption Standard (AES). AES is the gold standard for encryption algorithms in today’s cyber landscape. AES is a symmetric algorithm that encrypts data in fixed-size blocks using cipher keys of various lengths, with encryption using 256-bit keys being deemed secure enough for “TOP SECRET” documents by the US National Security Agency (NSA).
• Triple Data Encryption Standard (Triple DES or 3DES). 3DES is the evolved form of the Data Encryption Standard (DES), the first major encryption algorithm released to the public by the US government. The largest difference is hinted at in the name — 3DES applies the DES algorithm multiple times with different keys for greater security. 3DES is another symmetric encryption algorithm, but it is no longer considered secure and has been largely replaced by AES in modern systems.
• Blowfish. Another symmetric encryption algorithm, Blowfish was designed by Bruce Schneier in 1993 to address the common weaknesses of the algorithms of its time. While it was more robust than DES, the limited size of the data blocks used in Blowfish encryption (just 64 bits) meant that it was vulnerable to attacks that exploited the math behind the algorithm. Blowfish was upgraded to Twofish in 1998 and Threefish in 2008 and remains a strong algorithm for cryptographic security (including password encryption) to this day.
• Rivest-Shamir-Adleman (RSA). RSA is one of the oldest algorithms still in active use today — and unlike the other three entries on this list, is an asymmetric encryption algorithm. RSA generates private and public keys using calculations involving very large prime numbers. RSA is theoretically more secure than symmetric encryption algorithms like AES, but is also slower and more cumbersome to use.

Password encryption scrambles the text you enter to produce ciphertext — strings of random characters that make no sense without the proper decryption key. For demonstration purposes, let’s run some popular passwords through a simple online DES encryption tool.

• “Password123” becomes “$1$/kAFuTwg$z0.oX9oWMMoNua.bwPhLp0”
• “p@55w0rd” becomes “$1$7j8BudBa$AfRWuSokgzes.iV4nqCRN0”
• “1234567890” becomes “$1$UMCEqUEp$aMjeiFoALgq5cb198S4T6/”

The ciphertext would look slightly different if we had run the same passwords through a hash algorithm like SHA-1, which transforms plaintext into 40-character hashes. Keep in mind that unlike encrypted passwords, these password hashes could not be decrypted back to their original forms.

• “Password123” becomes “b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1”
• “p@55w0rd” becomes “ce0b2b771f7d468c0141918daea704e0e5ad45db”
• “1234567890” becomes “01b307acba4f54f55aafc33bb06bbbf6ca803e9a”

In theory, password encryption is a reversible process, so anyone with the proper key can turn ciphertext back into a plaintext password. Getting a hold of the decryption key is much more difficult than it sounds, however, so the likelihood that your encrypted passwords will be decrypted by others is exceptionally low.

One likely method of obtaining decryption keys is intercepting key exchanges between the client and the server. In those rare instances where the medium of exchange has not been properly secured (for example, by using asymmetric encryption), it is possible for a lurking hacker to execute a man-in-the-middle attack and copy the symmetric encryption key being shared.

In practice, most modern authentication systems automatically protect key exchanges between parties.

Password encryption and hashing play important roles in your security, but here’s the rub — you need both password encryption and a strong password to protect your account. While there’s little you can do about a website’s choice of password encryption algorithm or other cryptographic security measures, you can do a whole lot about your own passwords.

Make sure that you create strong passwords for each of your accounts. A good password can hold off hacker attacks for years or even decades — enough for most attacks to lose interest and wander off in search of easier prey.