Explained Simply: How Password Works & Why You Should Use a Password Manager
In all modern user authentication practices, passwords are hashed by the service provider e.g. Facebook, Twitch (or most of the LEGITIMATE websites that you visit).
What does hashing mean?
You may have heard of encryption. Encryption is a 2-way process, where you can encode information and later decode it. Hashing is a 1-way encryption technique where you can encode information, but it becomes impossible to decode.
How does password hashing work typically?
When you register with a password, let’s say password1234, the developers add a salt to your password. A salt is just a random string of characters. For example, the salt, in this case, is 87450822f16742. The hashing algorithm then combines password1234 and 87450822f16742 and hash them, and a password hash will be computed and can look something like mXJG5*o2Pv7Z93ckXKC9YqjYRqui.CH, essentially a gibberish string of characters that’s undecipherable.
Note: I didn’t use any hashing algorithm here, these are just made up examples.
So 2 things get stored on the database: the final password hash and the salt, so in this case it would be 87450822f16742 and mXJG5*o2Pv7Z93ckXKC9YqjYRqui.CH. And the way authentication works is that every time you type in your password to log in, they redo the same computation using the salt and your password input, and they compare the password hash to see if they’re the same. If they are, that means you used the right password, and voila, you’re authenticated!
Why is the salt needed for hashing?
Because hashing is a one-way algorithm that always outputs the same output if given the same input, if 2 users use the same password e.g. password1234, then it would output the same hash. This presents 2 vulnerabilities. First, if the hacker cracks 1 of the passwords, then the hacker cracks ALL of the passwords with the same hash. The second vulnerability is that anyone with experience will be able to tell these are common passwords, and just try the list of the top most common passwords and bruteforce it. For that reason a salt is required, so that even if all the users use the same password, the random salt for each user will help compute an entirely different hash, making them completely indistinguishable from each other.
So what does password hashing mean to you?
That means if e.g. Facebook’s database got leaked or hacked, your password is never exposed because they are hashed. Even the Facebook engineers or Mark Zuckerberg wouldn’t know your password. Only you know your password. This is why when you forget your password, they can’t just send you back your password.
Are you safe then?
In most cases, if a database got hacked, sure your personal details e.g. your address, name, photos can be stolen, but ultimately your password remains safe, so no one can perform unauthorized actions digitally on your behalf.
Unfortunately, as humans, we can only remember so much, and more often than not we try to reuse the same password for ALL of our accounts. And hackers know that. That means if for whatever reason one of your random accounts got hacked, the hacker will simply attempt to log in to your other accounts via the same email and password. For example, if the hacker knows your Twitch password is password1234, they will simply attempt to log in to Twitter, Facebook, Instagram, Paypal, or any account using the same username/email and password, and most if not all of them will be compromised (which is also why 2-factor authentication is so important). You’d have so many accounts registered in different apps throughout the years, then you won’t even remember where else you need to change your password.
How can a hacker hack me?
There are so many ways, but for the sake of discussion, here are some of the easy ways:
1. If you’re logging in / registering without HTTPS, I can monitor all internet traffic on the in and out of the router and see what data is being outbound. If I see a username or email, I can easily check if a password is attached.
2. If you installed malicious software, which happens more often than you think, especially on Windows, a key logger can log all your keystrokes and send them to the hacker. Again, I’d look for any emails, then check if a password follows that.
3. You’re at an internet cafe with key logger installed unbeknownst to you.
4. You’re on Android, and you’re not using the native Google keyboard, and you typed in your password using a keyboard app that logs your key.
5. Someone standing over your shoulder when you type your password in a cafe.
6. You accidentally typed your credentials into a phishing site.
7. You sign up for a new app made by an evil hacker who logs all user passwords.
8. The app you signed up with 20 years ago didn’t use password hashing, and their database is hacked or maybe the owner just turns evil.
How can a password manager help you?
So now that you understand how password works, and how vulnerable it is, here’s when we can discuss why a password manager is good for you.
1. They can help you generate a safe and secure password every time you register in a different app. This means you never reuse the same password.
2. Most of them have features to help check if your existing password is leaked, or if they’re too easy and will warn you to update if so.
3. You don’t have to remember your new complicated passwords because the password manager will remember them for you. Instead, you just have to remember 1 master password.
Wrapping Up
That’s how passwords work and why you should use a password manager! I’m not a cyber-security expert, but I hope this article has shed some light on the topic for the general public and not just developers.
This article was very much inspired by the recent Twitch source code leak which lead to many people frantically changing passwords and activating 2FA and also How Devise keeps your Rails app passwords safe by Tiago Alves, which was written for developers.
