Passwords are a fact of life now, and they’re the first line of defence when it comes to protecting your accounts online.
But how are passwords stored? What happens if an attacker steals the list of passwords? Here we find out how passwords are stored as hashes to make it more difficult to steal them, as well as some of the ways attackers get around this problem.
A password in a modern computer system is simply a series of characters. These can be arranged to form something memorable to a human, but could also come from a special device or piece of software for managing passwords.
When we log in to a computer or a remote service, we give our username and password. This password is then checked against a stored version. If the username and password match, you’re assumed to be the owner of that account.
Just like with ancient watch words, we have an immediate problem: eavesdropping. If someone can monitor your conversation, they can make a note of your password and then later pretend to be you.
In our scenario in the next step, we will assume this is a solved problem: either you’re logging in to a local machine and nobody is looking over your shoulder, or you’re logging in to a remote service over an encrypted channel. Either way, it’s a separate problem and as interesting and full of caveats as it is, we’ll focus on the password problem for now.
If we follow this idea through, we can deduce a few facts about how it is implemented:
- Everyone has their own password and don’t share, but they also don’t have a way to make sure they don’t all use similar passwords. What if they all used ‘swordfish’?
- There is a list of passwords somewhere. They have to be stored somehow for us to be able to check them
- The list of passwords is an issue. The first ever case of a password system being compromised involved the password list being stolen, and every year we hear of more cases of stolen passwords, with many hundreds of lists being discovered shared and traded by hackers. If someone steals the list of passwords, they have access to all of the accounts!
This is where hashing is used to protect passwords.
You may wish to read the article in the See also section at the end of this step on the importance of not reusing the same password across multiple services.
© Coventry University. CC BY-NC 4.0