There are many things we need to function every day: love, family and friends, good health, puppies, Toastmasters. There is one more: passwords. Think about it. We use passwords every day, when we check our computer, phone, email, Facebook, Twitter, bank account—basically, anything that represents us. Passwords are valuable.
When we are careless with our passwords, we put ourselves at risk. A breach occurs when someone who isn’t supposed to access your account—a hacker—breaks in. As a result, your private information is exposed to the hacker. Even when we are careful, those whom we entrust our passwords with can be careless and put us at risk.
In 2009, rockyou, a company that develops applications for Myspace and Facebook, suffered from a breach. They had stored users’ information in a careless manner. To make matters worse, rockyou had stored the passwords in plaintext. This means, the passwords were not hidden and obscured in any way; they were just out there, in plain view, for anyone to see. For the first time, hackers obtained millions of passwords and got to analyze how people create passwords in real life.
rockyou isn’t the only company that made such a mistake. Every often, you will hear about companies having a breach and asking their customers to change passwords. These companies that I listed aren’t nobodies. They serve millions of people, possibly you. And these companies? They have experts that make sure that our information is safe, and yet, they still suffer from a breach.
In two parts, we are going to educate ourselves on passwords. In Part One, we will look at how passwords work. We will understand the ideas of hash and salt, which form the basis of all passwords. Next time, in Part Two, we will study how a hacker attacks on our passwords and how hashes stop the attacks. Finally, we will look at how to create good passwords and keep our accounts safe.
1. Hash and salt
Both terms are inspired from cooking. A hash, like a hash brown, means something that has been chopped and mixed, whereas salt is an ingredient that we add beforehand to make the hash taste better. Before I explain what hash and salt mean in the context of passwords, I will set up a problem so that you can understand why hash and salt were created in the first place.
Suppose you have a Facebook account. You want to check your Facebook page, so you enter your name and password. I am Facebook. How do I know if I can let you in?
a. Idea #1
Here’s an idea. I am like a bouncer at a club; I have a list of names and passwords that tells me who can enter and who can’t. (We call this list a database, but I will say list.) The names on my list are all different, so I can easily check if your name is on the list. Next, I check if your password matches mine. If it does, I let you in. If it doesn’t, I don’t let you in. Again, the idea is: I check your name, then I check your password.
Let’s analyze the pro and con of our solution. In order for this to work, when you create an account and your password, I need to keep your password. That way, when you log in, I can check if your password matches mine.
The beauty is, I can easily check if your password is correct. The ugly downside? I just created a security nightmare. If a hacker breaks in, the hacker sees all the passwords that I have. Clearly, this isn’t the right solution, and yet, surprisingly, this is exactly what rockyou did. They kept a list of 32 million passwords, unprotected.
b. Idea #2
To create a better solution, we introduce an idea from math, known as a function. A function takes something in—an input—and follows a set of steps to create something else—an output. Think of a function as a cooking recipe. The ingredients are the input; the recipe is the function, which tells you what to do with the ingredients; and the food that comes out is the output.
I can create a function that turns your password into gibberish (a string of hexadecimal characters, to be exact). We call this gibberish a hash, and the function that makes the gibberish a hash function. I won’t cover the details of the hash function, because there are many candidates and each of them is complicated.
What you need to know is this: hash, in its culinary term, means something that has been chopped and mixed. In essence, I am chopping your password into small bits and mixing them really well to make a hash—to create gibberish.
And the punchline? Your password has meaning and value, so it’s not a good idea for me to keep your password. But a hash is gibberish that has no meaning and no value, so it’s ok for me to keep your hash.
We have a new solution now. When you create an account, I hash your password and keep the hash. When you log in, I hash the password that you enter and check if your hash matches mine. If it does, I let you in. If it doesn’t, I don’t let you in.
What are the pro and con? This time, when a hacker breaks in, the hacker only sees the hashes, not the actual passwords. That’s good!
However, we have two problems: (1) People who use the same password have the same hash. In the example above, John Smisek and John Smith have the same hash, because both use johnny as their password. If the hacker manages to guess John Smisek’s password, the hacker can assume that John Smith uses the same password.
(2) It’s also possible that people who have different passwords have the same hash. John Smisek and John Smith may have the same hash from different passwords. In this case, the hacker can use John Smisek’s password to log in as John Smith, even though it’s not the correct password. Remember, all I check is whether your hash matches mine. I don’t know the correct password.
c. Idea #3 (the real deal)
Our final solution fixes everything. Let me show you how passwords really work. When you create an account, I give you an ID that no one else has. We call this ID a salt. The key is that everyone has a different salt.
I add the salt to your password—to make it taste better—to make it unique. John Smisek and John Smith use the same password, johnny, but their salts are different, so their salted passwords are different.
Next, I hash the salted password. John Smisek and John Smith have different salted passwords, so their hashes are very likely different.
Finally, I keep the hash and salt. When you log in next time, I can salt the password that you enter and check if your hash matches mine. If it does, I let you in. If it doesn’t, well, you know the story by now.
Let’s analyze why this solution works. If the hacker breaks in, the hacker only sees the hashes and salts, not the passwords. Furthermore, people who use the same password have different hashes (very likely), because their salts are different. This fixes the two problems we had: (1) The hacker can’t know which people use the same password. (2) The hacker can’t use a person’s password to log in as another person that has the same hash. Same password + different salt = different hash (very likely).
Let’s summarize what we learned. I, a company, don’t confirm your identity by your password, because keeping a list of passwords is dangerous. By trial and error, we came up with the ideas of hash and salt. I salt your password—to make you different from everyone else—and I hash the salted password—to create gibberish that has no meaning and no value. I keep the hash and salt, so that when you log in, I can check if you are who you say you are.
There are 3 benefits to using hash and salt. One, if I have a breach, the hacker only sees the hashes and salts, not the passwords. Two, the hacker can’t know which people use the same password. And three, the hacker can’t use a person’s password to log in as another person that has the same hash.
Next time, in Part Two, we will study how a hacker attacks on our passwords. To be specific, the hacker attacks on our hashes. The good news is, our hash function is designed to stop the attacks. We will study what makes a hash function so special. Finally, we will look at how to create good passwords and keep our accounts safe.
IdentityForce, 2016 Data Breaches.
Online Tools, SHA3-256 Online.