Cryptography and passwords

today I will write about passwords and their security. Mostly I want to explain what “hashing” means in this context. Its certainly important issue considering that for example last year in May there were 164 million passwords from LinkedIn offered for sale.

Good site that user needs to log in wont safe your password. You should be the only person who knows it. How can they check when you log in then? Well they hash your password.

This means that when you create your account instead of storing the password which could be simply stolen away, the website will run the string through one-way function that will put out some long combination of various letters and numbers, unrecognizable from the original password.

One-way function means that you can not take the nonsense, put it into the function other way around and get the password out, one-way function may for example lose some of the original information so that the process is not reversible.

Now on the server is only saved hash of the password[1] but even that is not enough to be quite secure. The thing is that there are only several commonly used hashing functions and crackers (correct term for hacker) can still break it…

What crackers can own is called rainbow table. That is huge (in terms of gigabytes easily) table of hashes. These hashes were made from random letters or from combination of words from dictionaries. When somebody cracks the database of some website and get hands on all those saved hashes they will start to compare them in huge amounts with their rainbow table. The hash functions always create the same string from the same password so the cracker only needs to have these rainbow tables for couple of most used hash functions.

This is of course why it helps from the side of the user to have long and random password, one can not have everything on the rainbow table because of its size and it takes a long time to compate a lot of hashes.

For extra protection most pages also “salt” hashes. That means that after your password they add some random characters and makes a stronger hash with it. Every password has to have original long salt. With the salt it does not matter if it is known or not because cracker can not precompute rainbow tables for all the possible strings and the technique will become unusable.

Sites might also add time that it takes to log into account, not noticable for user but catastrophic for cracker. For example if user has to use CAPTCHA or if simply you use hash function that takes longer time to go through, you will be way more secure from brute force attacks attacks which are cracking hashes one by one simply by trying random strings.[2]

On this page you can check if your account have been breached.


[1]When you log in the password that you entered will be hashed again and compared to the hash that is already saved in the database.

[2]On the other hand you might me more fragile against attacks that try to make your site overloaded.