hi, ima use this opportunity to nerd out a bit, especially since people in the notes keep being tech illiterate while calling others tech illiterate. it's nobody's fault really, these things should be taught in school these days, but they arent. at all.
in short - nobody has your password. every online service uses servers, and these servers should not, under any circumstances, store your password, and if they do, the do not comply security standards and you honestly should stay as far away from their service as possible, no matter what that service is.
"but Agam," you may ask, "how does the website know the password is correct when i log in, if it doesn't even know it?"
you see, it stores something called a cryptographic hash (no, not the currency thing, that's something else).
basically: imagine for a moment that there exists a function, an operation of some kind, that you can run on any sequence of letters and digits and sumbols, and get a different sequence of symbols, that is unique* to any input you can use. imagine also, that this operation cannot* be reversed; you cant take the output of this function and trace back what input was used to produce it. this magic function is called a cryptographic hash.
instead of storing your password directly, the server runs a cryptographic hash on it and stores the result. the next time you enter a password, the server takes your input and runs the cryptographic hash on it as well - then compares the result to the one that it has stored.
because the operation cannot* be reversed, no matter WHO has your data, it is practically impossible to know your password.
this is also why when you select "i forgot my password" these days, you never get your password sent to you - because nobody has it. instead, you have to select a new one without ever seeing the old one.
now, few things to note here. for one, the astrixes that i kept using: "unique" isnt entirely correct here, sonce there could technically be two passwords that produce the same cryptographic hash; what this practically means is that there is some random password that the server will count as correct despite not being the correct password. since nobody can guess that password either, it's not that bad. two - it technically IS possible to reverse a cryptographic hash, but should take an incredibly long time - ideally, lifetime-of-the-universe long.
lastly - there ARE databases with pre-computed cryptographic hashes for common passwords, which are meant for speeding up this process. for this purpose, most hashes nowadays use something called a salt value - a second input value provided to that hash function WITH the input password, that is changing for each user. that way, since nobody can predict what the salt value is, the hash value cannot be pre-computed.
math is good, kids, it protects you from mega-corporates.
here's a nice lil video about this very topic (Tom Scott my beloved):
with that being said you should definitely still call companies out for selling your data, while your password arent (or at least, shouldnt) be stored at all, a lot of other stuff is.


















