Before we dive into protecting our passwords, let’s understand how passwords are stored securely. Do you really need to know this? Well, not exactly; but it’ll help you appreciate why good password practices matter.

TL;DR:

  1. Storing passwords as plain text = Very bad
  2. Hashing passwords = Good
  3. Salting hashed passwords = Even better!

Cleartext Storage: A Recipe for Disaster

When a website stores a username and password, you might imagine it looks something like this:

UserName | Password
hikingfan@gmail.com | Super$eĀ¢ure1303

This is called storing a password in “cleartext,” and if a site is still doing that in 2024, šŸ”” Shame! Shame!

If someone gets a hold of a database of cleartext passwords, cracking it is as simple as reading it from a text file!

Hashing: Making a Digital Smoothie šŸ„¤

Encrypting is like using a key to lock our valuables in a secure box. With the right key, it can be opened. Hashing on the other hand is like blending fruits into a smoothie. Once blended, there’s no way to turn it back into individual fruits!

When we type our password to log into a website, the web page converts the Super$eĀ¢ure1303 password to something like f60d4d6b8fdfa2471a843433f301744759f832de54fe65439d2d940acfeabc32, BEFORE sending it to the website. This gibberish is the “hash” of your password.

A password is like the exact ingredients for that complex smoothie. A hashing algorithm is the recipe/process that converts the ingredients into a digital smoothie. Let’s look at some examples using the industry-standard SHA256 hashing algorithm (from here):

  • Super$eĀ¢ure1303 becomes f60d4d6b8fdfa2471a843433f301744759f832de54fe65439d2d940acfeabc32

  • 7 Fried Watermelons! becomes 56e6349dd1469a9cb73cce43a6aeb34098a7e47845f5ffec5bcbebd3648f34aa

Notice how no matter how long or short our password is, the output for SHA256 is always 64 characters. It’s like our password smoothie always fills the same size cup, whether we used 2 fruits or 20! From the hash, no one can tell if the password had 8 characters, or 80.

A key feature of any good hashing function is that it should be practically impossible to reverse. You can’t un-smoothie a smoothie, and you can’t un-hash a hash. Even a tiny change in the input creates a completely different hash ā€“ like how adding a single blueberry to your smoothie would change its taste entirely. Well, not really, but it does for hashes.

The Problem with Plain Hashing

But wait! There’s a catch. If two people choose the same password (likeP@ssw0rd2024), they’ll end up with the same hash. This is where things get a bit tricky, and where our next ingredient comes in…

Salt: The Secret Ingredient šŸ§‚

Salting makes hashes more secure by adding a unique “seasoning” to each password. For example, a website might add a salt value of e2ySbS&8t?M to your entered password. So when you type in P@ssw0rd2023, it gets converted to P@ssw0rd2023e2ySbS&8t?M BEFORE hashing.

Why bother with this extra step? Well, imagine two users both chose P@ssw0rd2023:

  • User1: P@ssw0rd2023 + salt abc123 = P@ssw0rd2023abc123
  • User2: P@ssw0rd2023 + salt xyz789 = P@ssw0rd2023xyz789

Even though they started with the same password, the final hashes will be completely different! This makes it much harder for attackers to us pre-computed hashes to crack passwords.

It’s crucial that each password gets its own unique salt. The system needs to store this salt somewhere, or at least store the logic to recreate it. But don’t worry ā€“ even if an attacker gets the salt, they still need to crack the hash, which is no easy feat!

Even Spicier: Pepper šŸŒ¶ļø

Some systems go a step further and add a “pepper” ā€“ a secret value added to passwords before hashing. The hash and salt are usually stored in a database, but a pepper must be stored separately to prevent it from being obtained by the attacker in case of a database breach.

Wrapping Up Our Password Smoothie

So there you have it! When you type in your password on a well-designed system:

  1. The site generates a unique salt for your password
  2. It adds this salt to your password
  3. It runs this salted password through a hashing function
  4. It stores the resulting hash and the salt (but never your original password) When you log in later, it repeats this process and compares the result to the stored hash. If they match, you’re in!

I hope this has been as refreshing as a warm smoothie on a hot day šŸ¤Ŗ