I'd made many data requests before, but this was the first time I'd been asked for a password to prove my identity. It meant one disturbing truth: Whiplr was storing my login details in plain text. It's impossible to see how many times the iOS app Whiplr has been downloaded, but it describes itself as "the world's biggest online fetish community." It's a place for people with kinks of all kinds to connect. Naturally, privacy is paramount. You'll rarely find a handle resembling a real name, and many profiles don't have publicly available pictures. Of those that do, faces are often hidden or obscured. Users don't want to be recognized or judged for their bedroom proclivities by people they might encounter in "normal" daily life. They prefer to remain mysterious, if not outright anonymous.

This is exactly why Whiplr storing login details in plain text is such a serious faux pas. Should hackers have gained access to this database, they could've potentially figured out the real identities of users either through the app itself or through other services where those credentials are identical. The potential for extortion is very real. Think the Ashley Madison hack, just with more ropes and spanking, and less relationship-ending infidelity.

An inexplicably retriever-focused commercial for Whiplr

Storing login credentials in plain text is not a good idea. Without any form of encryption, this data is most powerful in its rawest form. Should a company's systems be breached, a hacker could use the info to access your account, find out more about you and prospect elsewhere with the same login details. If you are consistent with your password choices, one plain-text database could be the key to your digital life.

As a sensitive service, you'd think any form of database encryption would be a sensible move for Whiplr. A common password-protection technique is hashing. A hashing algorithm will take your password and scramble it into a random string of characters. When you log in to a service with your password, it'll get run through the same hashing algorithm. Whatever it spits out will be referenced against the database to see if it matches. Only the hash is stored, not your actual password.

Importantly, hashing algorithms will always produce a string of characters of the same length, regardless of the length of the passwords. This makes them pretty hard to crack, as the hash can't be used to identify anything about the composition of the password. It's not impossible to reverse-engineer passwords from their hashes though. With enough time and computing power, you can throw anything you want into a hashing algorithm and cross-reference the output to, say, a database dump. The shorter and more common a password is, the more quickly you're likely to get a hit.

This is why more than 100 million LinkedIn account details appeared for sale online a few years ago. The service was hacked in 2012, and though it stored passwords in a hashed format, they were decrypted in time. And that's why you have to sprinkle a little salt in that cauldron.

There are plenty of ways people can get your password without hacking.

Salting basically adds a random string of characters to either the front or back of your password before it's run through the hashing algorithm. It means that two identical passwords will have different hashes, because every user has a unique salt to add complexity. Therefore, there's no pattern to the hashes in the database because every single password is different. Even if hackers got hold of the hash and the salt database -- you have to keep a record of the salt to add it to the password every time a user tries to log in -- they would have to run every possible password plus the salt through the hashing algorithm to get a match. And even if they did, they'd have to start all over again for a new user. It's just not feasible.