p@55w0rd$: Part 1

Banner for Passwords: Part 1

There are many things we need to function every day: love, family and friends, good health, puppies, Toastmasters. There is one more: passwords. Think about it. We use passwords every day, when we check our computer, phone, email, Facebook, Twitter, bank account—basically, anything that represents us. Passwords are valuable.

0. Breach

When we are careless with our passwords, we put ourselves at risk. A breach occurs when someone who isn’t supposed to access your account—a hacker—breaks in. As a result, your private information is exposed to the hacker. Even when we are careful, those whom we entrust our passwords with can be careless and put us at risk.

In 2009, rockyou, a company that develops applications for Myspace and Facebook, suffered from a breach. They had stored users’ information in a careless manner. To make matters worse, rockyou had stored the passwords in plaintext. This means, the passwords were not hidden and obscured in any way; they were just out there, in plain view, for anyone to see. For the first time, hackers obtained millions of passwords and got to analyze how people create passwords in real life.

companies_breached.png
A non-exhaustive list of companies that had a breach. In order, the number of affected users are 32M, 77M, 6.5M, 130M, 360M, and 500M (M = million).

rockyou isn’t the only company that made such a mistake. Every often, you will hear about companies having a breach and asking their customers to change passwords. These companies that I listed aren’t nobodies. They serve millions of people, possibly you. And these companies? They have experts that make sure that our information is safe, and yet, they still suffer from a breach.

In two parts, we are going to educate ourselves on passwords. In Part One, we will look at how passwords work. We will understand the ideas of hash and salt, which form the basis of all passwords. Next time, in Part Two, we will study how a hacker attacks on our passwords and how hashes stop the attacks. Finally, we will look at how to create good passwords and keep our accounts safe.

1. Hash and salt

Both terms are inspired from cooking. A hash, like a hash brown, means something that has been chopped and mixed, whereas salt is an ingredient that we add beforehand to make the hash taste better. Before I explain what hash and salt mean in the context of passwords, I will set up a problem so that you can understand why hash and salt were created in the first place.

Suppose you have a Facebook account. You want to check your Facebook page, so you enter your name and password. I am Facebook. How do I know if I can let you in?

hash_and_salt_slide01
Problem. How do I know that it’s you?

a. Idea #1

Here’s an idea. I am like a bouncer at a club; I have a list of names and passwords that tells me who can enter and who can’t. (We call this list a database, but I will say list.) The names on my list are all different, so I can easily check if your name is on the list. Next, I check if your password matches mine. If it does, I let you in. If it doesn’t, I don’t let you in. Again, the idea is: I check your name, then I check your password.

hash_and_salt_slide02
Solution. I have a list of people who can enter. I check your name and password.

Let’s analyze the pro and con of our solution. In order for this to work, when you create an account and your password, I need to keep your password. That way, when you log in, I can check if your password matches mine.

The beauty is, I can easily check if your password is correct. The ugly downside? I just created a security nightmare. If a hacker breaks in, the hacker sees all the passwords that I have. Clearly, this isn’t the right solution, and yet, surprisingly, this is exactly what rockyou did. They kept a list of 32 million passwords, unprotected.

hash_and_salt_slide03
Idea #1. When you create an account, I keep your password. When you log in, I see if your password matches mine.

b. Idea #2

To create a better solution, we introduce an idea from math, known as a function. A function takes something in—an input—and follows a set of steps to create something else—an output. Think of a function as a cooking recipe. The ingredients are the input; the recipe is the function, which tells you what to do with the ingredients; and the food that comes out is the output.

function
A function takes in an input, and follows a set of steps to turn it into an output.

I can create a function that turns your password into gibberish (a string of hexadecimal characters, to be exact). We call this gibberish a hash, and the function that makes the gibberish a hash function. I won’t cover the details of the hash function, because there are many candidates and each of them is complicated.

hash-function
Imagine a function that turns your password into gibberish. We call this gibberish a hash.

What you need to know is this: hash, in its culinary term, means something that has been chopped and mixed. In essence, I am chopping your password into small bits and mixing them really well to make a hash—to create gibberish.

hash_and_salt_slide04
An example of a hash.

And the punchline? Your password has meaning and value, so it’s not a good idea for me to keep your password. But a hash is gibberish that has no meaning and no value, so it’s ok for me to keep your hash.

We have a new solution now. When you create an account, I hash your password and keep the hash. When you log in, I hash the password that you enter and check if your hash matches mine. If it does, I let you in. If it doesn’t, I don’t let you in.

hash_and_salt_slide05
Idea #2. When you create an account, I hash your password and keep the hash. When you log in, I hash the password that you enter and see if your hash matches mine.

What are the pro and con? This time, when a hacker breaks in, the hacker only sees the hashes, not the actual passwords. That’s good!

However, we have two problems: (1) People who use the same password have the same hash. In the example above, John Smisek and John Smith have the same hash, because both use johnny as their password. If the hacker manages to guess John Smisek’s password, the hacker can assume that John Smith uses the same password.

(2) It’s also possible that people who have different passwords have the same hash. John Smisek and John Smith may have the same hash from different passwords. In this case, the hacker can use John Smisek’s password to log in as John Smith, even though it’s not the correct password. Remember, all I check is whether your hash matches mine. I don’t know the correct password.

c. Idea #3 (the real deal)

Our final solution fixes everything. Let me show you how passwords really work. When you create an account, I give you an ID that no one else has. We call this ID a salt. The key is that everyone has a different salt.

hash_and_salt_slide06
Step 1. When you create an account, I give you a salt (an ID) that no one else has.

I add the salt to your password—to make it taste better—to make it unique. John Smisek and John Smith use the same password, johnny, but their salts are different, so their salted passwords are different.

hash_and_salt_slide07
Step 2. I add the salt to your password.

Next, I hash the salted password. John Smisek and John Smith have different salted passwords, so their hashes are very likely different.

hash_and_salt_slide08
Step 3. I hash your salted password.

Finally, I keep the hash and salt. When you log in next time, I can salt the password that you enter and check if your hash matches mine. If it does, I let you in. If it doesn’t, well, you know the story by now.

hash_and_salt_slide09
Step 4. I keep the hash and salt. When you log in next time, I salt the password that you enter and see if your hash matches mine.

Let’s analyze why this solution works. If the hacker breaks in, the hacker only sees the hashes and salts, not the passwords. Furthermore, people who use the same password have different hashes (very likely), because their salts are different. This fixes the two problems we had: (1) The hacker can’t know which people use the same password. (2) The hacker can’t use a person’s password to log in as another person that has the same hash. Same password + different salt = different hash (very likely).

2. Conclusion

Let’s summarize what we learned. I, a company, don’t confirm your identity by your password, because keeping a list of passwords is dangerous. By trial and error, we came up with the ideas of hash and salt. I salt your password—to make you different from everyone else—and I hash the salted password—to create gibberish that has no meaning and no value. I keep the hash and salt, so that when you log in, I can check if you are who you say you are.

There are 3 benefits to using hash and salt. One, if I have a breach, the hacker only sees the hashes and salts, not the passwords. Two, the hacker can’t know which people use the same password. And three, the hacker can’t use a person’s password to log in as another person that has the same hash.

Next time, in Part Two, we will study how a hacker attacks on our passwords. To be specific, the hacker attacks on our hashes. The good news is, our hash function is designed to stop the attacks. We will study what makes a hash function so special. Finally, we will look at how to create good passwords and keep our accounts safe.

References

IdentityForce, 2016 Data Breaches.

Online Tools, SHA3-256 Online.

Leave a reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s