How Do Passwords Work?
If you want to make a purchase, post a comment in a forum, or even read content on many websites, you’re prompted to create (and remember!) a password.
What’s going on when you create a password? And how does this process help keep your information safe? When you create a password on a website, that password isn’t stored verbatim on the website’s server. That’s because your password would be freely available if the security of the server were compromised.
Instead, your password is put through a process called “hashing,” which significantly improves security (provided your password is strong enough).
What is hashing and how does it work?
Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm.
If a website is hacked, cyber criminals don’t get access to your password. Instead, they just get access to the encrypted “hash” created by your password.
A common hash function is md5(), which returns a 32-character string from any input. Below are a few examples of what a hash looks like:
- md5(helloworld) = fc5e038d38a57032085441e7fe7010b0
- md5(hell0world) = 0a123b92f789055b946659e816834465
- md5(g84js;l238fl-242ldfsosd98234) = 42e7862f4ad5225471866d2023fc4cca#
- md5(helloworld) = fc5e038d38a57032085441e7fe7010b0
From these examples we can learn several things about hashes:
Small changes matter a lot – Take a look at examples 1 and 2. Just one digit has been shifted, from an “o” to a “0.” This is a very small change, and yet the second output is unrecognizable from the first.
The output length never changes – The input in example 3 is considerably longer than the other examples, yet it produces an output of the same length (32 characters). You could input an entire book into the md5() hash function and you would still get a 32-character string as the output.
Repeatable – An input will always give the same output when hashed using the same function. If this weren’t the case, they would just be generating a random output, which would be useless for passwords. (I included the same function in example 1 as example 4 just to see if you were paying attention.)
Hard to reverse – Even though a cyber criminal may be able to tell the function used to create a hash, it’s almost impossible to reverse that function and generate the password. In fact, it’s so hard that trying millions of combinations to try and produce the same end result (a brute-force attack) is typically quicker than the calculations required to reverse the hashing process.
How is password hashing used for granting access?
Let’s look at how hashing works in practice:
- Step 1 – A user visits a site and fills in a form to create their username and password.
- Step 2 – That password is put through a hash function and the hash is stored in the database.
- Step 3 – When a user logs in they enter their password again on the site.
- Step 4 – That entered password is run through the same hashing function as was used before.
- Step 5 – The server checks this hash against the one stored for the user in the database.
- Step 6 – If the two hashes match exactly, the user is granted access.
Is hashing sufficient to keep passwords safe?
Knowing that hashes are the same length regardless of the password you choose, you might be tempted to pick a short, memorable password. In fact, you should do the opposite. The password you choose is critical for keeping your data secure.
Once a cyber criminal obtains password hashes from a website, the real process of password hacking begins. This process happens offline, on the cyber criminal’s computer. Cybercriminals put combinations of characters into a hashing function until a hash that matches yours is created.
Because the functions themselves are well known, password cyber criminals can easily calculate hashes for known words and other commonly chosen combinations. Then they match the cracked passwords against these dictionaries.
These dictionaries go far beyond simple words. They include prefixes, suffixes, the practice of changing letters for numbers (e.g. 1 instead of l), and much more. This means weak passwords can be broken very quickly.
You can see how easily simple passwords can be cracked in the blog, Five Most Popular Password Cracking Tools.
For strong password security, you must:
- Create a long and seemingly random password
- Change that password periodically
- Never reuse that password on other websites
PAM and password management
Human beings struggle to create strong, memorable passwords. When we fail to do so, we put our financial and personal data at risk.
For businesses, the risk is even greater. Even if your network security is strong, if people are using the same passwords for your multiple internal systems, applications, and websites, your network could be breached without anyone hacking in. For example, if a user’s personal email is breached, a cyber criminal might try the same password on their work account, possibly gaining access to sensitive business data.
Privileged Access Management (PAM) solutions automatically generate complex passwords and rotate them regularly. So, even if a cyber criminal gains access to a hash, they can’t easily conduct a brute-force attack. PAM solutions help ensure passwords are unique and never shared, so even if cyber criminals get one password, they are less likely to leverage that password to gain additional access.
With PAM, privileged users don’t need to remember passwords or remember to change them. Password management happens automatically, behind the scenes, without interrupting a user’s productivity.
So, that’s how passwords work! Now, learn more about privileged access management.
Related Reading: Why you must NOT store enterprise passwords in Excel.