How do websites check users passwords without saving the clear-text password in their database?

[Jasz]

It is best practice for websites to never store user passwords in the database in clear text. If a hacker were to gain access to the server, that would mean they could see all of the users' passwords. There is a much more secure way that modern websites check user passwords without storing the clear-text password in the database.

When a user creates an account, they are prompted to enter their desired password into a text box. When the user clicks "submit" or "create account," instead of storing the password in the database in clear text, it becomes hashed and salted. Hashing takes any string of characters and converts it into an unrecognizable string of characters with a set length. Salting adds additional randomness to ensure that similar passwords will not hash to the same value.

When a user logs back into their account, they enter their username and password into the appropriate fields, but instead of checking against what is stored in the database, it hashes what was entered in the text box and then compares it to what is stored in the database. If they match, then access is granted; otherwise, access is denied.

This prevents hackers from gaining access to all of your users' passwords by simply looking at what's stored in your database.