Page 1 of 1

How do passwords work?

Posted: Thu Jan 04, 2018 11:47 am
by Linkdead_
I was reading some articles online about intel having some memory leaks that could potentially give malware access to kernel memory that contain things like your passwords. I fully understand a lot of these "articles" are just clickbait trying to work people into a frenzy to get views, but it got me wondering how do passwords work?

I know that might be a pretty sensitive topic, so I am not asking for information that would compromise anyones security, but I am interested to know how the process is handled. I know that my password has to be stored somewhere because the computer has to check my input against something. If that is the case though, how is it protected from hackers or nefarious programs from just snatching up my password from wherever it is stored?

Re: How do passwords work?

Posted: Thu Jan 04, 2018 12:41 pm
by deepakdeshp
Plain passwords aren't stored but the passwords are encrypted and stored. ... d-on-linux

Re: How do passwords work?

Posted: Mon Jan 08, 2018 10:58 pm
by Petermint
The memory lookahead leak can only leak a limited amount of data at a time, depending on the processor model. If your password is short enough to leak, you could move to a longer password or a passphrase or two factor authentication.

For a virus attack, there are easier and more reliable ways to get your password. Phishing and other tricks are easier than virus attacks. The easiest approach is to wait until you sign up for Faceblab then every aspect of your identity will be on sale to everyone.

Re: How do passwords work?

Posted: Tue Jan 09, 2018 9:36 am
by Mute Ant
"the computer has to check my input against something" Yes it does, but not the text you type in, some scrambler-function of that text. The common function is md5sum but there's lots of others...

Setting Up The Account (US Keyboard)
Your password: SqueezeToyRebecca#
Repeat it please: SqueezeToyRebecca#
Machine key: 7fa5f0ed563d61bd608d3f730d52f3e7

Logging In (GB Keyboard (fails))
You enter: SqueezeToyRebecca£
Machine key: d3ccf8c187d13f16e33ac10d868d2686

The key from a mildly-incorrect password is not even close to acceptable. Digest-sum functions are designed so that happens. It is very difficult, not quite impossible, to find an input password that generates a particular machine key. So even if you know what the machine-key is, by sniffing through the files of an inert machine, you can't feasibly reverse-engineer the password that generates that key and log in as that user.

Re: How do passwords work?

Posted: Sat Jan 20, 2018 6:28 am
by techsophia

This part can be a little hairy, but sit tight.

Hash Algorithm When you sign up for an account on a site, you choose a username and a password. Usernames are usually stored in the site's database as plain old text. On the other hand, password was washed before it was stored

A hash function is a mathematical algorithm that will take any size data (such as a password) and will make it a part of the data appearing to look like fixed size.

The data washed 1 character long, the resulting hash would be 60 characters long.
If the data is 20 characters, the hash will be 60 characters long.
If the data is 2,000 characters long, the resulting hash will still be 60 characters long.

The hash function overrides the data, and it spreads / decreases the "secret code" of a certain length. The output of this type of hash function will be unique, and it will always give the same result. In other words, the hash of "cheese" is always the same. But the hash of "cheese" will be very different from the hash of "paneer" (finally low-case "e"). This is the continuation of output and very unique results which are the key here.

Hope it helps you

Re: How do passwords work?

Posted: Sat Jan 20, 2018 5:29 pm
by rene
techsophia wrote:The output of this type of hash function will be unique [ ... ]
For most practical purposes, sure, but note that essentially, no, certainly not. Mathematically this is obvious: you used a 60 character hash as an example; let's say "a character" is an N-bit value, i.e., can hold 2^N values (8 and 256 for standard bytes). Your hash would then be a (60*N)-bit entity, can hence hold 2^(60*N) possible values. There are clearly more than 2^(60*N) possible passwords so at least two of them must generate the same hash.

The above is for any value of N, and certainly the same argument holds for any value other than 60 as well, which is to say that a fundamental property of hashes is in fact that they are not necessarily unique. This is also important: specific hash functions are to be judged on chances of generating the same hash from non-same data, including the distribution of hashes over all possible ones. When to be used in a cryptographic context, moreover including (practical) irreversibility, when to be used in an error-detection context including minor changes in data having major chance of changes in hash -- and so on.
techsophia wrote:[ ... ] and it will always give the same result.
That, any hash will indeed do...

Re: How do passwords work?

Posted: Fri Jan 26, 2018 12:55 pm
by sevendogs
Not sure this is necessary but I wanted to clarify some terminology because it bugs me. Passwords are hashed, as other posters have mentioned. Passwords are never encrypted, or rather should never be encrypted. The term "encrypted" gets misused but I understand why (universal term for obfuscation). Encryption is two-way because you need to be able to see what you encrypted at some point. Hashing is one way because you NEVER need to see what you have hashed, at least with passwords. No one ever needs to know a password in plain text form other than the user. If an application stores user passwords encrypted, there is a key to be able to decrypt all the passwords. Very bad.

My .02.