How companies store your passwordssteemCreated with Sketch.

in technology •  7 months ago

In the following post I try to explain to an average computer user like how passwords are stored and why a company don't have to know your password but still can check if it's correct.

Plaintext

The by far worst way a company can store your password is just as plaintext. That means that store the password as it is. They can access it any if their database got hacked also the hacker has access to you passwords. If you know that a company is storing your password in plaintext stay away. You should not use this website or service anymore.
But how can you detect if someone stores your password as plaintext? Simple, if they ever show you your password by a reset attempt the must have it as plaintext stored.
The is a whole website about this: http://plaintextoffenders.com/

if you are a service or company you don't want to end up there.

Explained how a plaintextlogin works:
If your password matches to the password in their databse you can accss the restircted section of the page. But anyone, including members of the company or hackers who steal the database can then acces the restricted section of a page.

Hash

No, not that stuff you smoke from time to time.
Hashing means to hash a plaintext into a pretty random textstring.
For example the password "MyS3cre7Passw0rd" can be hashed to "E6EF1F534B085D8073704F64AB85540C3DA52C697ED97747F445E12F7FDEDC1A" using the sha265 hashing function.
You can try it by yourself my page:

https://rockz.io/hash

The very special about hashing is that it can't be done vice versa. Means you can not go back from the hash to the original entered textstring.

Explained how a hashed login works:
You enter your plaintextpassword, then it is sent trough the hashing function which hashes the password. Then you check if the hashed password is the same as the hashed password in your database. If it is the same, you entered the correct password, if not, you entered the wrong.
Even if now an attacker or employee steals the password database its useless for them since they cant generate the passwords from the hashes. Simple but effective!

If you have any questions, let me know! :)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

For the password to remain only your secret, it is usually enough to follow three simple rules. Not to try to come up with short easy-to-remember passwords, do not use the same password for different sites, do not enter passwords on computers you can't trust. I like the method of Bruce Schneider, expert and author of books on information security and cryptography. It suggests using sentences that turn into a password. For example, "This little piggy went to market" can do something like "tlpWENT2m". A nine-character password that will not be in any dictionary.

·

Actually the nine character password also be used in a dictionary by adding some rules of combination. The whole content from wikipedia can be downloaded and added all to a dictionary. Even social media posts and comments can be scrapped and used in a dictionary.

·
·

thats true and scary AF

·

Well your password, however strong it is as weak as any webservice's security and password handling capabilities. If they use a http site to transfer your password and do like what twitter did in logging the password before encrypting it, or worse just save it as it is on their server then you are doomed.

So the first rule is USE HTTPS EVERYWHERE EXTENTION AND NEVER USE THE SAME PASSWORD ON DIFFERENT SITES.

Reading this article reminds me of the recent breach of Twitter (although I believe the passwords were properly hashed but the deciphering key was compromised?!)

·

hehe yeah, it was the reason I wrote this article.
No in hashing is no deciphering key. A deciphering key only exists in encryption systems that work on both sites, but as explained you only can hash plain to hash. Hash to plain is not possible, therefor no deciphering exists in hashing.

The problem with twitter was, that they are logged the password before they hashed it.
Like this:

User enters password as plaintext -> send to twitter server -> LOGGED PASSWORD as plain (they should not do that) -> hashed the password -> notify the user if password was correct or not.

·
·

Thank you very much for the detailed explanation, now I understand exactly what happened at Twitter.
BTW that reminds me that I should change my password there ASAP :)

I always forget my passwords:(

·

hehe try using https://keepassxc.org/
This should help you! :)

·

I use LastPass to remember my passwords because I sign up at so many sites everyday and I can't use same password for each one of them plus I need to be very strong, so it does the job for me.

I always try to read your writing, but today's writing is more helpful than the other day. Because the password is the key to online security. Hopefully the text will be useful for everyone

@creativeidea says, My Friends! @rockz Thank you so much for informing everyone by posting Password Help. Often password hacking is heard so everyone should use the complex word password.

Ah isn't this concept the bedrock of blockchain technology too? SHA256 seems to lit some of my lightbulbs.

·

Yeah hashing also plays a huge part in blockchain tech.
For example you can generate a public key from a private key but never vice versa. Otherwise all wallets could be hacked. :)

wow like really it important information i have heard for the first time

Even if now an attacker or employee steals the password database its useless for them since they cant generate the passwords from the hashes.
like really ??

·

Yeah, the only way an attacker has to obtain the password is to hash and check it character by character.
This is called brutforce attack. And this needs a lot of computing power. You can check here how long it would take to bruteforce your password approx.: https://howsecureismypassword.net/

·
·

ohh ok thanks :)

great and helpfull post

Hash is appropriate, but maybe in future we'll see more security implemented like OTP, Fingerprints, Biometrics, etc etc clubbed with eachother for more security.

The original can also be like this, learning

Great information...at first time i read about it how companies store my password. Really awesome system to store our password. Thanks a lot sir @rockz for sharing the valuable information.

Very informative @rockz like we when we send messg to anyone through wallet so we use hash tag space and then messg so messg encrypted no one can see it's like that?

·

No, when communication with someone other usually a asymetric encryption is used.
If you would hash encryption in communication your partner would not be able to decrypt the message you sent him.
This is what you are looking for:
https://en.wikipedia.org/wiki/Public-key_cryptography

I explain it maybe in another post ;)

thanks for share my friend

Cryptography technique used

very interesting indeed

great post thanks rockz bro

Loading...