What happens to your info when you sign up for a website?
If you are anything like me you’ve wondered how your username and password are stored when you sign up for a website. Are SupremeWizard95 (your username, obviously) and D0gz@r3thebest!!! (your password, also obviously) stored on a computer just like that? Maybe you feel comfortable giving the password you use for all your accounts to large websites, like Amazon or Instagram, but maybe you feel a little bit more hesitant to do so when signing up for websites with less… uh… flair? I know I have, and I think that this is probably pretty normal. For computer naifs it’s not entirely clear what what happens when you give a username and password over to a website.
So, to understand what goes on when you sign up for a website, it’s worth talking about encryption. Encryption is one of the simpler methods that organizations use to safely store information like your username and password in their databases. Understanding how your username and password are encrypted and then stored on a database can clarify what actually happens “behind the scenes” and make you more aware of what is and is not happening when you sign up to use a particular application.
Let’s talk about what happens when you sign up for a website step-by-step. When you first go to sign up for a website, you’re probably met by a screen like the one below (this is Twitter’s):
In the above screen, you enter your name, phone number, and date of birth. Hitting the “next” button sends your information to the database. On its way there it is most likely “encrypted” using some sort of encryption algorithm. What does it mean though for your name, email, and date of birth to be encrypted, though? And, what does it mean to be stored on a database? It sounds magical, doesn’t it? It sure did to me until relatively recently, but trust me, it isn’t.
When thinking about how your information is “encrypted”, it is important to remember what in fact your information is. Your name and email address are both groupings of letters and numbers. Computer programmers call these groupings “strings.” All your email address and name (and birthday, for that matter) are are “strings” of numbers and letters. I know the website is fancy and the box highlights blue when you enter that information, and you might think that the box highlighting and way the information is entered have an effect on the way it is stored, at least that’s what I thought before I got into software engineering, but in fact from the perspective of data storage, neither of those things are relevant. The only thing that’s relevant from the perspective of data storage is the content of the string itself. And it’s the content of the string that is encrypted.
So, when you’ve entered your information and you have hit that next button, you are sending the information to a database. The path that brings this information to the database is what is known as a “post” route. A “post” route is a pathway for information to travel across the internet that allows new rows to be added to tables in a database. There is no other way to add a new row or rows to a database table other than by sending information along a post route.
Brief aside: if you’re having trouble understanding post routes, they’re best understood of by learning about their opposite: “get” routes. A “get” route, in contrast to a “post” route retrieves information from a database. So, if you want to access information in a database (think: your account information) you need to make what is known as a “get” request. Get requests do not remove rows in a database, they simply bring a copy of the contents of the rows you have specified to you, the user. In your usage of the internet, I can guarantee that you’ve made get requests and post requests millions of times, you just haven’t known it. End aside.
The post route that you send the information along after hitting “next” is written out by software engineers. The code below is an example of a written-out post route that contains instructions to encrypt a username. Its contents might be obscure if you’re not familiar with javascript, but I can guarantee that these lines of code are where the “action” takes place to take the username you entered (e.g. “SupremeWizard95”) and turn it into a string of unrecognizable set of letters and numbers, and then post that information to the database.
When the information gets to the database it will look something like the picture below. And indeed, what you are seeing below is a graphical representation of a database itself. In the below example neither the username nor the email are encrypted. However, the password is. It has been transformed from a string of letters and numbers (in this case the password for both was actually 12345 — Ha!) into a string of letters numbers and symbols that are literally indecipherable, except if you have the proper key.
Although in the above example the username and email are not encrypted, it would be better if they were. Encrypting the username and email would prevent database administrators from casually viewing user information. Also, encrypting other information would make it so that even if a bad actor somehow got access to the database contents he or she couldn’t do anything with those contents unless he or she had the decryption key, which would be stored somewhere safe, like on a piece of paper that’s kept in a drawer.
So, when you sign up for a website and you hand over your user name and password, you now know that the way that the entry form appears on the page is largely irrelevant, and that when you sign up your information is sent along a particular route that contains specific instructions to scramble (“encrypt”) the characters that comprise the information sent. This encrypted information is then stored safely in a database until it is updated, retrieved, or deleted.
The fact that you can only develop a general outline for how websites encrypt and store information has its upsides and downsides. The upside is most obviously that if you don’t know what information is encrypted or how it’s encrypted, it becomes harder to access the information of other users. The downside though is that you can never be too sure about how your information is stored and what exactly is encrypted. That’s why it’s important to use a variety of passwords and usernames across the platforms you intend to access. Obviously this takes some overhead and has its costs, but given the uncertainty you have regarding how data is stored, it’s well worth-it in the long-run.
