Password management 101 for non-technical users

September 30, 2018

 

First and foremost passwords should never be sent from the user's computer to the server in plain text. Some sort of hashing (I'll explain what that is later) on the part of the user-facing part of the system is required when sending data over to prevent people spying on the communication passing through the routers, or at least make their life much more difficult. This means the server has no way of knowing what the original password is by the time it receives it.

 

Next, when the "messed up" password is received by the server, it will have to hash it again. Hashing means taking the data and putting it through an algorithm to generate a random bunch of characters. It differs from encryption in that it's one-way - which means that while you can de-encrypt an encrypted text, you can't de-hash a hashed text.

 

An additional layer of security termed salting might be applied too. This is basically a bunch of random characters that are generated for and unique to every user (called a salt). The primary purpose of implementing the salt is to mix this with the original "messed up" password received by the server before it is being hashed. Reason being, if a hacker accesses the database and downloads caches of passwords which were hashed yet not salted, identifying a batch of exactly similar ones will automatically reveal that the original passwords are the same for all those users - more often than not common passwords like "Password1" (capital P password 1 - sounds familiar?). This salt can be stored in plain text as the hacker wouldn't know how it was applied to the "messed up" password.

 

Only after the password has been client-hashed, salted, and server-hashed, can it be stored in the database during new signups or used to compare with the existing one already stored in the database during logins to authenticate the user. After passing through all those functions, the server would have no way of knowing the original password entered by the user. This is also why when you click the "Forgot Password" link, most websites will reset your password or ask you to create a new one, because it would be impossible for them to send back your original password after it has been machine-gunned beyond recognition.

 

Think of it as passing a message through a group of people who tweak things and add stuff along the way - the last person in line wouldn't know what the original message was.

 

In the event an individual who signed up with a service provider has his previously created password sent back to him in its original exact format, it implies that the server simply stored his original password as he initially keyed, without invoking necessary security protocols. Extremely unsettling isn't it?

 

(Note though this is entirely different from first-time passwords or PINs generated by the system, then subsequently dispatched to the letter template for printing, and finally being stored in the database.)

 

Hope this sharing was useful. Peace out.

 

 

Share on Facebook
Share on Twitter
Please reload

Featured Posts