Passwords are widely used as a security measure to protect sensitive information and for secure access to various accounts and systems. They serve as a means of authentication, allowing you to prove your identity and gain authorized access to your personal data, online services, and devices.

The storage and hashing of passwords

Before storage, the responsible developer should hash your password. Unfortunately, you have no way of knowing whether the developer has properly hashed your passwords or simply stored it as plain text.

Hashing is the process of transforming your password into an unreadable format. This is to prevent that, even if your hash is disclosed, nobody has access to your original password.
Hashing is a one-way process. You can convert your password into a hash, but you can not convert the hash back to your original password.

One common hashing method for passwords is SHA-256, which serves here only as an example. For instance, the word ‘password’ generates the following hash: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8.

Even a minor change, such as changing the word to ‘Password’, results in a completely different hash: e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a.

As you can see, a small change in the password will have a significant impact on the resulting hash.

Encryption: convert data into a code to prevent unauthorized access. You can retrieve the original data with a decryption key.
Hashing: one-way process, converts data into a fixed-size string of characters. It is not possible to reverse the process and retrieve the original data.

What do companies store?

Companies that store your passwords typically only store the hash value. This means that the company cannot help you once you forget your password. They cannot recreate your original password from the hash. It is not that they do not want to help you, it is simply not possible.

So, when you forget your password, the company can send you a reset link, so you have to enter a new password. Another option is that the company sends you a temporary password with which you can login and change your password.

Companies can keep a list of your last used hashes to prevent you from reusing previously used passwords. Frustrating? Yes, but it is a security best practice to change your password regularly. The downside is that it can lead to forgetting or mixing up passwords, especially when managing multiple accounts.

How are these hashes used?

Let us say you log in to your bank account, and you enter your password.
The bank application generates a hash of your password and sends that hash to the bank. If the hash you send matches the hash stored in the banking system you gain access. If there is no match, there is no access. In this ideal situation your password is never sent over the internet. Only the hash leaves your computer.

Commonly used passwords

A quick internet search will show some of the most frequently used passwords:
123456, password, 123456789, qwerty, 111111

Fortunately, modern hashing algorithms can significantly improve the security of these simple passwords. However, the trade off is that it takes more time to create the hash. This is the reason why older algorithms are still widely used today, they are very fast. Unfortunately, they can not protect these simple passwords.

Because of this, companies mandate the use of at least one upper case and one lower case letter, along with a number and a special character. Additionally, a minimum number of characters is normally required, with 12 characters being the standard length accepted by companies today. We call this a strong, or complex, password.

Considering password hackers

As mentioned earlier, passwords are stored as a hash value. You may assume that if a hacker gets hold of your hash, there is nothing they can do with it, right?

Unfortunately, hackers, or more accurately password crackers, have created extensive tables of passwords along with their corresponding hash values, known as rainbow tables. Additionally, they have also generated hash values for every word in comprehensive dictionaries.

Subsequently, they compare the obtained hashes with those in their tables. If they find a match, they successfully uncovered your password.

The brute force attack

Dictionary and rainbow tables have their limitations in deciphering hashes. Another option for determined crackers to uncover passwords is the brute force attack.

This straightforward method tests systematically every possible combination of characters. It starts with single characters and progresses to longer strings until the correct password that matches the hash is discovered.

At first the process progresses rapidly, but as the length of the password increases, the process slows down. The computational effort required escalates significantly, becoming a matter of resource allocation and the computational time the cracker is willing to invest in breaking the password.

It is crucial to understand that what you see in media and movies is not realistic. Crackers have absolutely no insight into the specific characters and length of a password. In reality, the successful completion of the brute force attack is all about testing all characters in the correct order, there is no partial solution. The speed of the attack varies dramatically, from seconds for simpler passwords like 12345 to years for complex ones such as 11111aaaaaaaaaaaaaaa.

Let us take a quick look at that again. Crackers can not decipher the first few characters of a password, and wait for subsequent characters to reveal. This means that a cracker cannot gain insight into let us say the first three characters of an eight-character password and await the discovery of the remaining five characters. The brute force attack implicates the testing of all possible combinations, with no shortcuts or partial successes.

The solution

The key to better password security lies in the length of the password itself. So, the solution is simple: the longer the password, the safer. Regardless of the characters used, a sufficiently long password presents an enormous challenge to crackers. This makes it impractical to crack the password within a reasonable amount of time.

Consider the example of a password consisting only of the letter “a” repeated thirty times: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. Such a password would take years to crack.

However, it is important to note that sensitive accounts, such as for banking, do not accept this simplicity.

An alternative approach involves using complex passwords generated by password tools. These tools allow you to define the character sets to include, such as uppercase and lowercase letters, numbers, and special characters like #$!?. Additionally, you can specify the desired password length, providing flexibility and customization. For instance, you could generate a twelve-character password like 4gHD5Sc64fE5.

One minor drawback is the need to store these passwords for easy retrieval. While it is possible to remember some of them through daily use, it is advisable to use a password manager to securely store and manage your passwords.

Do not miss my next post on longer passwords here.

I have also created a post on browsers and passwords, you can find it here.

Thank you for taking the time to read my post on passwords.
I hope you found it enjoyable and insightful.
Stay tuned for more content that is coming soon.

If you like what you read, please consider sharing it with others who might find it helpful.




Thank you for reading.