Last time, we looked at how passwords work. To confirm your identity, companies salt your password, they hash the salted password, and they check your hash. (For brevity, I won’t mention salts anymore. Assume that salts are used.)
We left out 3 important questions.
1. Can a hacker find out our passwords from hashes?
Yes and no. We will see that a hash function that is designed well acts like a trapdoor. We can change passwords to hashes, but there is no way to change hashes back to passwords. However, the hacker can still make guesses at our passwords and check which ones result in the stolen hashes. We call this an attack. I will cover 2 ways to make an attack.
2. Can the hash function stop attacks?
Yes, a hash function that is designed well makes attacks difficult. I will explain what I mean by a good design.
3. What can we do to protect ourselves?
We can’t completely rely on the hash function to protect us. We have to be vigilant, too. I will show you how to create good passwords and keep your accounts safe.