Passwords are a fact of life now, and they’re the first line of defence when it comes to protecting your accounts online.
But how are passwords stored? What happens if an attacker steals the list of passwords? Here we find out how passwords are stored as hashes to make it more difficult to steal them, as well as some of the ways attackers get around this problem.
- A password in a modern computer system is simply a series of characters.
- These can be arranged to form something memorable to a human, but could also come from a special device or piece of software for managing passwords.
- When we log in to a computer, or a remote service, we give our username and password.
- That password is then checked against a stored version. If the username and password match, you're assumed to be the owner of that account.
- Just like with ancient watch words, we have an immediate problem: eavesdropping. If someone can monitor your conversation, they can make a note of your password and then later pretend to be you.
- In our scenario, we will assume this is a solved problem: either you're logging in to a local machine, and nobody is looking over your shoulder, or you're logging in to a remote service over an encrypted channel. Either way, it's a separate problem and as interesting and full of caveats as it is, we'll focus on the password problem for now.
- If we follow this idea through, we can deduce a few facts about how it is implemented:
- Everyone has their own password and don't share, but they also don't have a way to make sure they don't all use similar passwords. What if they all used 'swordfish'?
- There is a list of passwords somewhere. They have to be stored somehow for us to be able to check them
© Coventry University. CC BY-NC 4.0