Web Security Fundamentals

Every day, millions of people's passwords, credit card numbers, and personal data are stolen in data breaches. In 2023 alone, over 3 billion records were exposed through publicly reported breaches. Many of these breaches succeed not because attackers used exotic techniques, but because of basic security mistakes — weak passwords, unencrypted data, and poor hashing practices.

Understanding the fundamentals of web security doesn't require a computer science degree. The core concepts — how passwords should be stored, what hashing does, and how encryption protects data in transit — are accessible to anyone willing to spend 15 minutes learning them. This guide explains these concepts in plain language, with real-world examples that show why each one matters.

Whether you're a developer building applications, a system administrator managing user accounts, or simply someone who wants to understand how their data is (or isn't) being protected, this guide gives you the vocabulary and mental models to evaluate security decisions effectively.

A secure password is one that's computationally expensive to guess. The security of a password is measured in "entropy" — essentially, how many possible values an attacker would have to try before guessing correctly. Higher entropy means more guesses required, which means more time, which means better security.

What Determines Password Strength?

Password strength is determined by two factors: length and character set size. The total number of possible passwords is calculated as (character set size) raised to the power of (password length).

Why "Password123" Is Terrible

Despite having uppercase letters, lowercase letters, and numbers (which sounds diverse), "Password123" appears in virtually every password cracking dictionary. Attackers don't just try random character combinations — they use pre-built lists of commonly used passwords, dictionary words, and known patterns. A dictionary attack can try billions of likely passwords per second on modern hardware.

The most secure passwords are randomly generated strings that don't form words or recognizable patterns. A 20-character random password drawn from letters, numbers, and symbols has ~10³⁹ possible values — effectively impossible to crack even with future computing advances.

Password Reuse: The Silent Killer

Using the same password across multiple sites is arguably the biggest security risk most people take. When one site is breached, attackers immediately try those credentials on banking, email, and social media sites — a technique called "credential stuffing." Even a very strong password provides no protection if it's used on a site that stores it poorly and gets breached.

The solution is a unique, random password for every account, stored in a password manager. You only need to remember one strong master password; the manager handles everything else.

Hashing and encryption are frequently confused, but they serve completely different purposes. Understanding the distinction is fundamental to understanding how passwords should be stored.

The Definition of a Hash Function

A hash function takes any input (a string of text, a file, a document) and produces a fixed-size output called a "hash" or "digest." The critical properties of a cryptographic hash function are:

• Deterministic: The same input always produces the same output
• One-way: You cannot recover the original input from the hash (irreversible)
• Avalanche effect: A tiny change to the input produces a completely different hash
• Fixed output size: SHA-256 always produces a 256-bit hash regardless of input size
• Collision resistant: It's computationally infeasible to find two different inputs that produce the same hash

Why Passwords Are Hashed, Not Encrypted

Here's the key insight: a website doesn't need to know your actual password. It only needs to verify that what you typed matches what you originally set. This means there's no reason for a website to ever store or be able to recover your actual password.

When you create an account, the site hashes your password and stores only the hash. When you log in, the site hashes what you typed and compares it to the stored hash. If they match, you're authenticated — and the site never needed to handle your actual password for more than a fraction of a second.

If a site uses encryption instead of hashing for passwords, that means they have a decryption key somewhere, which means your actual password could potentially be recovered — either by the site employees, or by attackers who compromise the key. Properly hashed passwords are useless to an attacker who breaches the database; they only have one-way transformed values they can't reverse.

Hash Functions Beyond Passwords

Hash functions are used far beyond password storage. File integrity verification uses hashes to confirm a downloaded file hasn't been corrupted or tampered with — compare the file's hash against the one published by the original source. Version control systems like Git use hashes to identify commits. Digital signatures use hashes to efficiently sign large documents. Content-addressed storage systems use hashes as file identifiers.

Not all hash functions are created equal. Some are designed for speed (useful for verifying file integrity), while others are intentionally slow (necessary for password hashing, to make brute-force attacks impractical).

The rule of thumb: use SHA-256 or SHA-3 for file integrity and data verification. Use bcrypt, Argon2, or scrypt for passwords.

Unlike hashing, encryption is reversible. You encrypt data to protect it, and decrypt it when you need it back. Encryption transforms readable data (plaintext) into scrambled data (ciphertext) using a mathematical algorithm and a key. Only someone with the correct key can decrypt the ciphertext back to plaintext.

Encryption is essential any time you need to store or transmit sensitive data that must later be read — private messages, credit card numbers, medical records, authentication tokens. You encrypt the data for storage or transmission, and decrypt it when you need to use it.

How HTTPS Protects You

Every time you visit a website with "https://" in the address bar, your connection is encrypted using TLS (Transport Layer Security). This means that even if someone intercepts the data packets traveling between your device and the website's server, they see only encrypted gibberish — not your login credentials, not your credit card number, not the content of what you're reading.

TLS encryption is transparent — it happens automatically without you doing anything. The padlock icon in your browser's address bar indicates the connection is encrypted. When you see "http://" without the S, data is transmitted in plaintext — anyone on the same network (a coffee shop WiFi, for example) could potentially read it.

There are two broad categories of encryption, and understanding the difference explains how secure communication on the internet actually works.

How TLS Uses Both

HTTPS connections use both types strategically. Asymmetric encryption is used first to securely exchange a symmetric key (solving the key distribution problem), then symmetric encryption handles the actual data transfer (because it's much faster than asymmetric). This hybrid approach gives you the security benefits of asymmetric encryption with the performance benefits of symmetric encryption.

When you connect to a secure website, your browser and the server perform a "TLS handshake" in milliseconds that establishes this symmetric session key — all transparently and automatically.