-
Notifications
You must be signed in to change notification settings - Fork 0
Password Storage
Logan Bonney edited this page Nov 24, 2015
·
3 revisions
Generally programs that use brute force password cracking don't just got to the website and enter in a whole bunch of different passwords. They don't do this because querying the server to guess a single password would require tons more time and things like captchas tend to pop up if a client starts sending too many login requests.
To understand how brute force password guessers get your password, one must first understand how passwords are stored on a server.
The proper way to store passwords is a method called salting and hashing. It's a common misconception that passwords are stored encrypted on a server. It is bad practice for a website to encrypt your passwords because that would allow the site admin to simply decrypt your password and view them freely and the whole point of a password is to have only the user know it. So instead of storing your password or an encryption of your password servers store a hash of your password. A hash is a unique key that is only generated by a specific input, websites will usually use SHA hashing to store your password. Hashing is one way so even if a hacker gets the hash of your password, the hash will tell them nothing about your password unless they can guess your exact password. Also this means that the website won't even be able to look up your passwordAn example of a hash using SHA256 is "hunter2" produces the hash f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7. There's no way to turn that long string of letters and numbers back into your password, but "hunter2" and only "hunter2" will produce that hash.
So what if a hacker gets the hash of your password? As long as your password is hard to guess (see Password Tips) a brute force attack will take a long time to guess your password to the point where it's not worth the time. But if your password contains only words it will be fairly trivial for a program like hydra to guess. This is where salting comes in. To prevent your passwords form being guessed websites will add "salt" to your password such as a string of random characters that only the website knows. now your password will produce an entirely different hash and is a lot harder for a brute force algorithm to guess.