Securing our passwords

It seems every other week we hear of another data breach where usernames and passwords along with outher sensitive data is taken. When sites username and passwords are compromised, what do we all do? We go and change our passwords. There has to be a way that two sites can store the same password for a user so that they are not stored same way.

Okay, let's start with the worst possible way to store the password, unencryptyed.

Username Password
user1 password
user2 password

Now if we story the passwords with MD5 encryption:

Username Password
user1 5f4dcc3b5aa765d61d8327deb882cf99
user2 5f4dcc3b5aa765d61d8327deb882cf99


Okay, now at least if the data is taken, the password is not as easy to see but it would not take long to get the password for both users. Now, what if the password for user1 and user2 can be stored so it is different for both users.  Even if they first password is cracked, the password for the second user would still be unknown.

In the table below, both users have the same password but the MD5 hash is different.

Username Password
user1 5ccafb277fa23cd0e71d99bc20715d9a
user2 55b873945f78672333f33000075e7cde


So how do we pass the value of password to an MD5 function and get two different values?

If we add somthing to the password, that would change the password but we have to had something different to each password. If you concatenate the username and password togetheer, you will now generate a different hash for each user.

This still doesn't solve all the problems. As users, we tend to use the same username and password on different sites. So is user1 uses password on multiple sites, and the data from multiple sites are compromised, then user1's password can be used on multiple sites. If each site was now to add a value to the hash it now becomes more complicated to get.

In this table for site1, the site concatenates the username,site1,password together you get the following.

Username Password
user1 8f9c3e05cd3b01d645270d435df60a4a


Now if site2, concatenates the username, site2,password together you get the following.

Username Password
user1 bd976a1ce7c853f160606d1af0cbce7f

Now if both site1 and site2 have there user data compromised, user1's password cannot be as eaily deteremined. 

Sites still have to protect their data, but this seems to make it much more difficult to determine what the passwords are.