We all have passwords, without which nothing can be done. All
we know is we type in the password and click on log in and bam
you’ve landed onto your profile/homepage or whatever it is you
wanna reach. Now lets learn about what goes on behind those
one or two seconds between clicking the log in button to
actually getting in.
First let us see what a password should be:
Passwords nowadays can be easily cracked as the computing
power increases day by day. A password which took a year to
crack can now be accomplished within a month. So on your part,
keep your passwords with the following mixture so that you will
give a tuf time for that hacker
- Small letters (k)
- Letters in caps (K)
- Numbers (1)
- Special symbols (@)
- Space ( )
The combination of the above makes it difficult to crack. And
there are certain cases like with Microsoft where you simply
can’t use white space in your passwords. For such sites just
skip the space part but do follow the others.
For example and as a way to make it easier to understand, lets
say that i’m Mark from facebook. I used to save all your
passwords in plain text. That is if your password is “my
password”, it will be saved as it is in my database.
Now on an event of an hack attack taking place and if it ends
begin successful, the hacker would have gained access to all
your usernames/emails and your passwords, since its in plain
text, the hacker can directly read it.
Since that’s a huge threat to one’s privacy, i changed the way i
store my users password, i don’t just simply store their
passwords directly, i hash it and then i store it.
So what’s hashing, one might wonder!
Hashing:
Hashing comes to play to protect a plain text, and there are
several algorithms you can use to make it work. For instance
hashing the password “mypassword” with the MD5 algorithm
say produces the hash c915e95033e8. Even tiny alterations to
the initial password will produce completely different results,
consider this one where “MyPassword” with two uppercase
letters becomes 1d9a3f8172b0 after hashing.
When a hacker successfuly hacks his way into my facebook’s
server, he only will be able to view the hashed passwords of my
users, since i did not store any of thier passwords directly in
plain text.
So all he’ll get is “1d9a3f8172b0” and my username in plain
text. If he tries to login to my profile with my username and
the 1d9a3f8172b0, he got via hacking. That simply won’t work
since when you enter a password its hashed. So hashing
1d9a3f8172b0 will give different results like fub123nakanm
which won’t match the originaly hashed value of my password
which will be 1d9a3f8172b0.
To gain access the hacker has to enter the exact ‘MyPassword’
so that it’ll hash into 1d9a3f8172b0 and match with my
username in my database, he simply cannot use the already
hashed password.
But their are technologies now where a knowlwdgeble hacker
can re-hash and find what the plain text password is and can
gain access to the targeted victim’s profile. There are many
tools to do that and can even do it with the good old brute
force method, provided that the hacker has enough of time and
computing power with him.
But i’m not going to detail about that, cause this is not “Hack
your ex’s profile”, this post is “How passwords work”.
So in short the following is how passwords work, given you’ve
already a member and your password’s already hashed and
stored.
- You enter your username and password (front end)
- The server receives your details and if you’re joining for the first time, the server will collect the password, hash it and will associate that hash value to your user name. (back end)
- The next time you login, it will hash the password you’ve just entered, and it will check whether it matches with the pre-hashed value.
- If so you will be granted access to your account, if not access is denied with an incorrect password error.
So include caps, special symbols, numbers, which make its hash value harder to crack by a hacker.
Karthikeyan 