The easiest way to keep a secret is to not tell it to anyone. Unfortunately passwords don’t work that way. Every time you sign in you have to tell the website your password, making it more challenging to keep the secret safe. That’s why we recommend turning on two-step verification for your account, which adds an extra layer of difficulty for anyone who has guessed, eavesdropped on, or tricked you into giving them your password. And it’s why we’re excited today to announce support for WebAuthn (“Web Authentication”) in two-step verification, a new standard for strong authentication on the web.
It’s universally acknowledged that it’s a bad idea to store plain-text passwords. If a database containing plain-text passwords is compromised, user accounts are in immediate danger. For this reason, as early as 1976, the industry standardized on storing passwords using secure, one-way hashing mechanisms (starting with Unix Crypt). Unfortunately, while this prevents the direct reading of passwords in case of a compromise, all hashing mechanisms necessarily allow attackers to brute force the hash offline, by going through lists of possible passwords, hashing them, and comparing the result. In this context, secure hashing functions like SHA have a critical flaw for password hashing: they are designed to be fast.