How does Followerwonk store my password?

Short answer: Followerwonk never stores your password.

We follow best practices for passwords, which means rather than storing your password, we store a slow, salted, cryptographic hash of your password. It's like a fingerprint. When you log in, we hash your password and compare it to the password hash stored in our database. If they match, we know you entered the correct password without our ever needing to store it.

Suppose your password is my-secret-123. In our database, that password hash will look something like $2a$12$0W6XpKlNTwBGSGSHpR81keIjrMlTxlVPsSUeWeRuY23PSKtNOUOA2.

So, what is a slow, salted, cryptographic hash?

  • Slow: Computers can do millions of operations per second. Cryptographic hashes suitable for passwords take a relatively long time to calculate. That's a useful security feature because if an attacker obtained your password hash, they might try every possible password, hashing each and comparing it to your password hash until they get a match. A slow hash means it could take millions of years, on average, to discover your password using such a brute force technique.

  • Salted: When we initially create a hash for your password, we add a bit of random data to it which gets stored along with the hash. In the world of cryptography, that random data is called salt. It's useful because that means that even if you use the same password as someone else, if you both have different salt, your password hash will be completely different. It means an attacker can't scan a long list of password hashes by generating a hash for each password guess and compare it to all the password hashes in the list. Instead, they have to add in the salt for each hash in the list and rehash their password guess.

  • Cryptographic hash: A cryptographic hash is an algorithm that takes input and scrambles it in a clever way that has certain properties. The same input always generates the same output. Any two inputs almost certainly generate different outputs. Even knowing the algorithm, an attacker can't use that information to gain any useful knowledge about the relationship between the input and the output.

Designing an algorithm that is safe and secure for password hashing is a very difficult task. It takes specialized knowledge, including a deep understanding of the mathematics involved. And it requires review and scrutiny by other cryptographers. Good algorithms take years of development and scrutiny before they are considered safe to use. No one should write their own. Followerwonk uses a bycrypt password hashing function.

Choose a strong, unique password

We've done our part to keep your password safe. You should follow some best practices to stay secure on the Internet, too.

  • Choose a strong password. Using a good password manager like 1Password can make that easier.
  • Use a unique password for every site. If an attacker ever obtains one of your passwords, they can try it on many different sites. If you reuse the same password, an attacker only needs to access your password once, and then they can use it to compromise your accounts on multiple sites.
  • Change your passwords frequently. If an attacker obtains a copy of your password hash, it should take them a very long time to discover a password that matches. If you've changed your password by the time they do, you're still safe.