How do passwords work?

Questions about the project and the distribution - obviously no support questions here please
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Locked
Linkdead_

How do passwords work?

Post by Linkdead_ »

I was reading some articles online about intel having some memory leaks that could potentially give malware access to kernel memory that contain things like your passwords. I fully understand a lot of these "articles" are just clickbait trying to work people into a frenzy to get views, but it got me wondering how do passwords work?

I know that might be a pretty sensitive topic, so I am not asking for information that would compromise anyones security, but I am interested to know how the process is handled. I know that my password has to be stored somewhere because the computer has to check my input against something. If that is the case though, how is it protected from hackers or nefarious programs from just snatching up my password from wherever it is stored?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
deepakdeshp
Level 20
Level 20
Posts: 12334
Joined: Sun Aug 09, 2015 10:00 am

Re: How do passwords work?

Post by deepakdeshp »

Plain passwords aren't stored but the passwords are encrypted and stored.
https://security.stackexchange.com/ques ... d-on-linux
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak

Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Petermint
Level 9
Level 9
Posts: 2981
Joined: Tue Feb 16, 2016 3:12 am

Re: How do passwords work?

Post by Petermint »

The memory lookahead leak can only leak a limited amount of data at a time, depending on the processor model. If your password is short enough to leak, you could move to a longer password or a passphrase or two factor authentication.

For a virus attack, there are easier and more reliable ways to get your password. Phishing and other tricks are easier than virus attacks. The easiest approach is to wait until you sign up for Faceblab then every aspect of your identity will be on sale to everyone.
Mute Ant

Re: How do passwords work?

Post by Mute Ant »

"the computer has to check my input against something" Yes it does, but not the text you type in, some scrambler-function of that text. The common function is md5sum but there's lots of others...

Setting Up The Account (US Keyboard)
Your password: SqueezeToyRebecca#
Repeat it please: SqueezeToyRebecca#
Machine key: 7fa5f0ed563d61bd608d3f730d52f3e7

Logging In (GB Keyboard (fails))
You enter: SqueezeToyRebecca£
Machine key: d3ccf8c187d13f16e33ac10d868d2686

The key from a mildly-incorrect password is not even close to acceptable. Digest-sum functions are designed so that happens. It is very difficult, not quite impossible, to find an input password that generates a particular machine key. So even if you know what the machine-key is, by sniffing through the files of an inert machine, you can't feasibly reverse-engineer the password that generates that key and log in as that user.
techsophia

Re: How do passwords work?

Post by techsophia »

Hello

This part can be a little hairy, but sit tight.

Hash Algorithm When you sign up for an account on a site, you choose a username and a password. Usernames are usually stored in the site's database as plain old text. On the other hand, password was washed before it was stored

A hash function is a mathematical algorithm that will take any size data (such as a password) and will make it a part of the data appearing to look like fixed size.

The data washed 1 character long, the resulting hash would be 60 characters long.
If the data is 20 characters, the hash will be 60 characters long.
If the data is 2,000 characters long, the resulting hash will still be 60 characters long.

The hash function overrides the data, and it spreads / decreases the "secret code" of a certain length. The output of this type of hash function will be unique, and it will always give the same result. In other words, the hash of "cheese" is always the same. But the hash of "cheese" will be very different from the hash of "paneer" (finally low-case "e"). This is the continuation of output and very unique results which are the key here.

Hope it helps you
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: How do passwords work?

Post by rene »

techsophia wrote:The output of this type of hash function will be unique [ ... ]
For most practical purposes, sure, but note that essentially, no, certainly not. Mathematically this is obvious: you used a 60 character hash as an example; let's say "a character" is an N-bit value, i.e., can hold 2^N values (8 and 256 for standard bytes). Your hash would then be a (60*N)-bit entity, can hence hold 2^(60*N) possible values. There are clearly more than 2^(60*N) possible passwords so at least two of them must generate the same hash.

The above is for any value of N, and certainly the same argument holds for any value other than 60 as well, which is to say that a fundamental property of hashes is in fact that they are not necessarily unique. This is also important: specific hash functions are to be judged on chances of generating the same hash from non-same data, including the distribution of hashes over all possible ones. When to be used in a cryptographic context, moreover including (practical) irreversibility, when to be used in an error-detection context including minor changes in data having major chance of changes in hash -- and so on.
techsophia wrote:[ ... ] and it will always give the same result.
That, any hash will indeed do...
sevendogs

Re: How do passwords work?

Post by sevendogs »

Not sure this is necessary but I wanted to clarify some terminology because it bugs me. Passwords are hashed, as other posters have mentioned. Passwords are never encrypted, or rather should never be encrypted. The term "encrypted" gets misused but I understand why (universal term for obfuscation). Encryption is two-way because you need to be able to see what you encrypted at some point. Hashing is one way because you NEVER need to see what you have hashed, at least with passwords. No one ever needs to know a password in plain text form other than the user. If an application stores user passwords encrypted, there is a key to be able to decrypt all the passwords. Very bad.

My .02.
Locked

Return to “Non-technical Questions”