ELI5: When someone creates a password on a website, where is that password stored?

Dynamic websites as they are called are websites where of the page is dynamically generated between the request and the response. When you register you send your filled in data to the webserver (inside a HTTP/HTTPS request with the method POST). The webserver will handle your request like any other and will call the corresponding file/script that will generate the website to be returned to the client (you).

The called script is able to see information about the call, for example it's able to see the filled in data because this is part of the HTTP request. Now the script has access to your username and password. Usually the script connects to a database because it needs some sort of database to store information somewhere persistent. The first check of a simple registration process is checking whether the username is already registers. The script executed (not directly) by the webserver will lookup if a result exists by username, if so it will return a response in HTML with a fancy error to the webserver, if not it will continue execution. Then the password is (hopefully) hashed (this means its the password itself is being converted into a string with some sort of algorithm that is only one-way, where the same string always has the same hash) and stored with its username in the database. Hashing is done to make sure if the database ever get hacked no plain-text passwords are acquired by the hacker.

Now you will probably wonder if I don't store the password then how can the script validate credentials. Well after logging it will use the same hashing algorithm on the filled in password. A database lookup is done where a row must exist with a username equal to the filled in username and a password equal to the hashed password. Like said before a hashing algorithm always has the dame output for the same input.

This all is done between sending your request, and the generated response.

/r/explainlikeimfive Thread