Every website these days has a log in – it is mandatory to be “social” and allow comments or other user interaction. Popular sights like ESPN, IMDB, Weather.com, PedanticPosts as well as more obscure sites like PassiveAggressiveNotes and HotOrNot. But you can’t have just anyone comment, no no no, they must be validated as an actual person, capable of entering a username and password.

Do you know how your passwords are handled? It’s obvious not every site has the same policy – some websites require at least 7 character passwords, some don’t allow special characters, some require a number or uppercase letter, and some have no requirements whatsoever. Do you trust every website equally with your password? Should you?

Almost all websites have databases which contain the data needed to run the site and store the user information. One important part of the user information is the password. But hardly any website will store your literal password – if your password is “r0xysUrfrGrl” and “r0xysUrfrGrl” was stored in the database, anyone with access to the database would know your password. This would mean that you would have to trust every website administrator with you password. And if a hacker every got ahold of your database (which we will see is quite possible) then they would have everyone’s passwords. Ouch.

Instead, it is common to store a hashed version of the password generated by an algorithm. An example of a dead simple algorithm would be to simply reverse the order of the letters and then replace the vowels with the vowel’s number (i.e. a=1, e=2, etc.). So the password “BeerBuzz” becomes “zz5Br22B”. Not too bad, I doubt you could look at “zz5Br22B” and guess what the password is. Unfortunately it wouldn’t be very hard to find out though. If you create several of your own passwords you will quickly see the pattern, figure out the algorithm, and have the key to determining every user’s password. Ouch again.

Rather, the hash algorithms commonly used are one-way functions – the idea is if you know the input you can calculate the output, but if you know the output you can’t calculate the input. That means if you have the hashed version of the password you can’t use it to determine the actual password. It’s a one way street. No patterns. If you just change one letter of the input it will change the entire output. Using a popular one-way function called MD5 on “gopanda” will yield “a6ef6c486390c4d9930018a29ff0a132” and on “gopandA” will yield “df54e1966621f816e7fca295bd1a74ec”. This is good – even if the hacker were to guess one password in the database, they still wouldn’t know the rest of them.

Sounds safe, right? In theory. Yes, if the website wasn’t setup by a bunch of baboons it means that a hacker won’t have easy access to all the passwords. But, as we will see, this doesn’t mean he can’t crack individual passwords. Why is that something to worry about? Because most people will use that same password across a variety of websites (I know you do, don’t lie to me). Next post I’ll show you the ways to crack individual passwords.
 

---

 

• Here is an excellent illustrative overview of how hashes work
• How one-way functions and other cryptography algorithms work deserves a post of its own one day. Extremely interesting uses of advanced mathematics.
• Need proof that website administrators shouldn’t be trusted with your password? A 19 year old Mark Zuckerberg hacked into some Facebook user’s email accounts:
  

  Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members’ Harvard email accounts. He successfully accessed two of them.

  For some reason this wasn’t mentioned in the movie and everyone trusts the guy/company to not be evil …

Photo: Frances