image courtesy digiart2001

How Passwords Work, in 90 seconds

Posted by 6ff74e82 tiny Jonathan Soma on sep 27, 2011 under Blog Post

Tonight in Cryptography I'm going to be going over a lot of modern-day computer security issues, so I figured I'd give you a 90-second rundown of how passwords [should] work.

In the same way that people have fingerprints, so do words and phrases. They're just called hashes instead. And just like with people, practically every bushel of letters has a different hash.

A hash is made with is a formula that takes the word and converts it into a number. For example, maybe I told you to add each letter together for a given word based on where the letter is in the alphabet. ADD = 1 + 4 + 4 = 9, SAD = 19 + 1 + 4 = 24, EYEBALLS = 5 + 25 + 5 + 2 + 1 + 12 + 12 + 19 = 81. Simple, right? Actual hashing functions like SHA-2 are super badass and collision resistant, though, which basically prevents different words from sharing the same hash.

You know how sometimes computer systems are broken into and usernames and passwords are stolen? Instead of dangerously storing your actual password, web sites can just store the hash of your password, then compare that to the hash of the password you're using to log in. That prevents the bad guys from actually ever getting your password, kind of like how I could never make a copy of your body from just your fingerprint.

It works like this:

1. You tell them you want your password to be marbles

2. Instead of storing marbles, they hash it and store something like 3832c** instead.

3. Next time you want to sign in, you say "my password is balloons!"

4. They hash balloons and get d0eea, which is totally not the same as what they already have stored (3832c). REJECTED!

5. You try again with marbles - they hash it, get 3832c, and since it's the same as what they stored already you're good to go. SUCCESS!

6. Hackers hack the database, get your email address and 3832c, which they totally can't use to log in to your Facebook account. BUMMER FOR THEM!

It's like when you go to jail - they can check if you've been there before by your fingerprints, not by making a copy of your entire body.

Now, there are plenty of reasons why this system isn't perfect - the most fun-named one is Rainbow Tables - but it's pretty good, and a few extra steps can take it up another notch or two. There's also the tiny problem of not every web site does this, and many would still store your password as 'marbles,' which is pretty dumb and the opposite of comforting.

All in all, though, this is how any reasonably secure site keeps prying eyes from your password: by storing the fingerprint, not the full thing. Next up: the black magic and mad science of picking a password!

** For readability's sake I've shortened the SHA-2 hash, which is actually the super-fun 3832cc438b5caa5c73387cc32fb8a899f3e5871192e9a3835323c70be9bd2814

Tagged with computers passwords security

Related Posts