How passwords work


We all have passwords, without which nothing can be done. All

we know is we type in the password and click on log in and bam

you’ve landed onto your profile/homepage or whatever it is you

wanna reach. Now lets learn about what goes on behind those

one or two seconds between clicking the log in button to

actually getting in.

 

First let us see what a password should be:

Passwords nowadays can be easily cracked as the computing

power increases day by day. A password which took a year to

crack can now be accomplished within a month. So on your part,

keep your passwords with the following mixture so that you will

give a tuf time for that hacker

  • Small letters (k)
  • Letters in caps (K)
  • Numbers (1)
  • Special symbols (@)
  • Space ( )


The combination of the above makes it difficult to crack. And

there are certain cases like with Microsoft where you simply

can’t use white space in your passwords. For such sites just

skip the space part but do follow the others.

 
For example and as a way to make it easier to understand, lets

say that i’m Mark from facebook. I used to save all your

passwords in plain text. That is if your password is “my

password”, it will be saved as it is in my database.

Now on an event of an hack attack taking place and if it ends

begin successful, the hacker would have gained access to all

your usernames/emails and your passwords, since its in plain

text, the hacker can directly read it.

Since that’s a huge threat to one’s privacy, i changed the way i

store my users password, i don’t just simply store their

passwords directly, i hash it and then i store it.

 
So what’s hashing, one might wonder!  
Hashing:
 

Hashing comes to play to protect a plain text, and there are

several algorithms you can use to make it work.  For instance 

hashing the password “mypassword” with the MD5 algorithm

say produces the hash c915e95033e8. Even tiny alterations to

the initial password will produce completely different results,

consider this one where “MyPassword” with two uppercase

letters becomes 1d9a3f8172b0 after hashing.

When a hacker successfuly hacks his way into my facebook’s

server, he only will be able to view the hashed passwords of my

users, since i did not store any of thier passwords directly in

plain text.

So all he’ll get is “1d9a3f8172b0” and my username in plain

text. If he tries to login to my profile with my username and

the 1d9a3f8172b0, he got via hacking. That simply won’t work

since when you enter a password its hashed. So hashing

1d9a3f8172b0 will give different results like fub123nakanm

which won’t match the originaly hashed value of my password

which will be 1d9a3f8172b0.

To gain access the hacker has to enter the exact ‘MyPassword’

so that it’ll hash into 1d9a3f8172b0 and match with my

username in my database, he simply cannot use the already

hashed password.

 
But their are technologies now where a knowlwdgeble hacker

can re-hash and find what the plain text password is and can

gain access to the targeted victim’s profile. There are many

tools to do that and can even do it with the good old brute

force method, provided that the hacker has enough of time and

computing power with him.

But i’m not going to detail about that, cause this is not “Hack

your ex’s profile”, this post is “How passwords work”.

So in short the following is how passwords work, given you’ve

already a member and your password’s already hashed and

stored.

  1. You enter your username and password (front end)
  2. The server receives your details and if you’re joining for the first time, the server will collect the password, hash it and will associate that hash value to your user name. (back end)
  3. The next time you login, it will hash the password you’ve just entered, and it will check whether it matches with the pre-hashed value.
  4. If so you will be granted access to your account, if not access is denied with an incorrect password error.

So include caps, special symbols, numbers, which make its hash value harder to crack by a hacker.

Advertisements

Leave a Reply, say something, pour your heart out ;)

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s