Alright, let’s say you create the next massive Social Media supergiant and you want people to sign up for your service. You have all the things you need on a sign-up page: a spot for their name, their email address, and their birthday, and their password. So after someone signs up to your website, you obviously want to save their information, so you create a database and in it you put their name, their email address, and their birthday. But what about their password?
Plain-Text Passwords
You might say just to put the password in your database right next to all the rest of their info, after all you’re going to need to check their password in the future whenever they log in. This is called storing passwords in plain-text and it is BAD! The issue is, eventually some brilliant hacker is going to find their way into your database and steal everything you have. And if you store everyone’s password in plain-text, that hacker just stole everyone’s real passwords. And since most people use the same password for many, many things, you just opened the door up to massive identity theft, and people will be very angry at you. So how do you store passwords so they can’t be seen, but they can still be checked? With math of course!
Hashed Passwords
There’s a process in computation called hashing. It takes information and essentially creates a fingerprint for the data. Hashing always comes out to the same length, regardless of how large or small the original data is. Also, a tiny change in the data creates a massive change in the hash. For example, let’s run a few test phrases through something called the SHA-1 Hash
“password” becomes
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
However “Password” becomes
8be3c943b1609fffbfc51aad666d0a04adf83c9d
And a longer sentence like “The Quick Brown Fox Jumps Over The Lazy Dog”
645218467886dd414ea66a09b6cceea806127fb5
You can try things for yourself here.
See how a tiny change results in a complete change in the hash? But, the really important thing is that you cannot reverse a hash. There is no mathematical way to go from the hash back to the original password. So, instead of storing the password, you store the hash of the password, and whenever you need to check a login, you check the hash of the new password against the hash stored in the database. Now if a hacker steals your data, all they have is a bunch of hashes!
Unfortunately, hackers can be clever too. Some people have their computers calculate all the possible hashes for all the possible passwords. So they have a massive file with “aaaaaaaa”, “aaaaaaab”, “aaaaaaac”, etc. and the hashes for all of them. This is called a Rainbow Table and hackers use them to reverse hashes for commonly used passwords with minimal effort, essentially rendering the technique useless. So how can you beat the hackers?
Salted & Hashed Passwords
What we do is we add “salt” to the password to disguise the hash. So if your password is “password”, the server will add salt so you’re actually hashing something like “wir;opasswordfj3ui9fe”. The result is even if my password is “password” and your password is “password”, our hashes will look entirely different because of salt. With salt, Rainbow Tables are useless to hackers, and they have to try and crack each hash one by one.
I have no clue regarding anything hacking related but you definitely explained this topic well. I never understood that computers use hashing to protect peoples’ passwords. I would recommend trying to explain a little bit more of the hacking end of this topic though. For example, how exactly do hackers find out a person’s hashed password in the first place? You have definitely made me more curious about the topic of cyber security.
Password security is one of the reasons that I always try to log in to website via Google or Facebook. These huge internet companies are bound to have passwords stored securely and safely, whereas the small website that you’re trying to log into may not have the best security practices in place. By logging in via Google or Facebook, you don’t actually share your password with the third party site, keeping your information that much safer.
With the advancement of technology and the ability of hackers, I wonder if Rainbow Tables will ever become obsolete. Right now it seems like it would be rather effective, but I feel as if sometime in the near future, someone will figure out a way to hack into this (and for that matter, have there been other encryption methods that have become obsolete in recent years? Obviously, enigma has, but I don’t know of any other ones since the information age.)
Not gonna lie, I got really hype when you said “with math, of course!” I’ve always been interested in cryptography, mostly because my dad was in the intelligence and logistic branches of the army when he was deployed. He taught me really basic techniques starting around when I was in the fourth grade (maybe earlier), and I’ve been fascinated by it ever since. I hadn’t looked into hashing before, and I was actually a little confused – is it that we physically cannot convert back from a hashed password to the original, that the hashing involves some sort of private key encryption process, or that we’re able to encode and encrypt each person’s password such that there’s no need for decryption? Also, the idea of “salting” something is really cool. It hadn’t occurred to me that we could just add nonsense to a password to distract a hacker, stuff that would confuse them but not interfere with the password itself. Cool stuff.