Plaintext vs. Encrypted
If you’ve found yourself here, it’s likely that one of your passwords was involved in a data breach and you want a little more information on what that means and how freaked out you should be. Don’t worry! (Well, maybe worry a little bit if it’s the one and only password you use all over the internet.) The difference really comes down to whether the company encrypted your password or not.
Now, It’s easy to get in the weeds and accidentally stay up until 3 am researching encryption around passwords, trust me. In this post, we’ll cover some of the high-level information you need to better understand how risky a plaintext password breach is versus an encrypted password breach and what you can do about it.
Plaintext (or cleartext) is a password format that is stored without encryption. It is easily understood, read, and used by other humans and machines. A plaintext password is what you type when you fill in the “password” field of a login page.
This is the most unsecure way for a password to be stored, and yet, is still utilized by many companies.
In InstantAlly, if your “password” has been compromised, you are much more susceptible to additional breaches. These are also considered “exposed” passwords. Plaintext passwords are the easiest for fraudsters to test and use to access additional accounts.
An encrypted password means that your password is stored in a way that makes it difficult to understand and use for fraudulent purposes.
You enter your plaintext password for a site, it is encrypted by the organization, and then stored in that encrypted form. Fraudsters must use decryption techniques to uncover your real password.
Different encryption methods vary in complexity. “Hashing” is at the core of most password encryption. Hashed passwords are, essentially, your password passed through an algorithm to make it unreadable and difficult to decrypt without the organization’s key.
Is this a more secure way to store passwords? Absolutely. Is it the be-all and end-all of password security? Of course not. Fraudsters have the time, knowledge, and technology to decrypt encrypted credentials. This is why it’s critical to not use the same password across multiple sites.
To truly wrap your head around it, consider the humble potato. A Plaintext password is a raw potato. An Encrypted password is a plate of seasoned hash browns. Yes, hash browns are still made of a potato but no longer resemble their original form.