|
|
|
|
|
|
|
Personality Assessor uses the latest technologies and techniques to protect your account and password. You might be wondering how we protect your password so that absolutely no one can see it.
We're so confident in our security, that we're going to tell you.
When you submit your password, it's immediately salted.
This means that we add random strings of letters/numbers/symbols before your password, after it, or in the middle of it in known locations. Your salted password is then hashed using SHA hashing. This technique allows your password to be unlimited length and to contain unlimited characters.
This hashing is repeated many times on your password (we're not going to share the exact number of times for security purposes).
This results is a seemingly very-random string of letters, numbers, and symbols, based on your password content. Hashing is a technique that cannot be undone. No one can "unhash" your password to figure out what it might have been.
Your salted and SHA-hashed password is then salted and hashed again using Bcrypt.
SHA is a very fast hashing function. Hackers could easily try thousands of SHA hashed solutions on your password to try to crack it.
In contrast, Bcrypt takes a very long time, by design. On average, every attempt to Bcrypt a random string takes about 100ms—or one tenth of a second. This slows hackers down, especially since we repeat the Bcrypt hashing on your password many times (we're not going to reveal the exact number of Bcrypt hashes we use on your password). Bcrypted passwords that are salted take an unreasonable amount of time to crack. And even if hackers could crack your Bcrypted hash, all they'd get is a salted SHA hash of your salted password.
Your final, slowly hashed password is then salted a third time and encrypted. We add a so-called "pepper" to the encryption. This "pepper" is sitewide and can be changed on a whim in case hackers ever discover its value. This adds a layer of dynamic security to our database.
Should hackers ever discover our "pepper," we can easily change it and suddenly all the password values in our database change, as well (making any attempts at cracking them worthless).
Whenever you try to sign in, your password goes through our secret, triple-salted, slow-double-hashing, peppered encryption algorithm. We compare the final result with what's stored in our database. If the values match, you provided a correct password.
Notably, no one is ever going to know what your password ever was. It's just a triple-salted, hashed, encrypted string in our database—which looks like a string of random numbers, letters, and symbols to anyone who sees it. It's something no one can ever recover, no matter how hard they try.