How Can You Claim You Don't Know My Password If You Tell Me When It's Wrong?
If you log in to a site or service, doesn't that mean they know your password? After all, they tell you if you type an incorrect password. That question is a little more scary when we start talking about "master passwords" or password management services that save all your passwords.
Many authentication system use one-way hashing for passwords. In essence they hash (more or less, encrypt) the password text. This results in a unique string of characters. Future login attempts will generate either the same or a different hash value, and thus match or not. The algorithms used are designed so a minor change in the original text yields a dramatic change in the hash output. There is no way to decrypt the output string. Hashing is often used by antivirus companies or other services to compare files, rather than sending large files over the network to compare every single byte in the file.
To prevent attackers from compiling lists of pre-calculated hashed passwords from known algorithms, a service will typically use an additional unique "salt" text value to append to the password, to make it even more unique, before hashing it. If the hashed value and salt are known, and the same algorithm is used, the hash value can be copied to a new server/database even if the actual password isn't known.
Password management software uses a similar approach to unlock your account, but then in the background uses that hash to protect a separate encryption key, and that key is used to actually encrypt the passwords. So a good service will not store the actual encryption key used on their end, only the encrypted passwords.
Of course, multi-factor authentication (MFA) is a highly recommended second level. That way the attacker needs both the password and approval from your phone or key fob, making the password by itself useless.
June 2023
Send this article to a friend!
Subscribe to The ITS Connection
Related articles