How do passwords work?

Questions about the project and the distribution - obviously no support questions here please
Post Reply
Linkdead_
Level 1
Level 1
Posts: 25
Joined: Tue Dec 26, 2017 8:59 pm
Location: USA

How do passwords work?

Post by Linkdead_ » Thu Jan 04, 2018 11:47 am

I was reading some articles online about intel having some memory leaks that could potentially give malware access to kernel memory that contain things like your passwords. I fully understand a lot of these "articles" are just clickbait trying to work people into a frenzy to get views, but it got me wondering how do passwords work?

I know that might be a pretty sensitive topic, so I am not asking for information that would compromise anyones security, but I am interested to know how the process is handled. I know that my password has to be stored somewhere because the computer has to check my input against something. If that is the case though, how is it protected from hackers or nefarious programs from just snatching up my password from wherever it is stored?

deepakdeshp
Level 10
Level 10
Posts: 3364
Joined: Sun Aug 09, 2015 10:00 am

Re: How do passwords work?

Post by deepakdeshp » Thu Jan 04, 2018 12:41 pm

Plain passwords aren't stored but the passwords are encrypted and stored.
https://security.stackexchange.com/ques ... d-on-linux
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help, and keeps the forum clean.
I am using Mint 18.3 Cinnamon 64 bit with AMD processor . Memory 8GB

Petermint
Level 4
Level 4
Posts: 424
Joined: Tue Feb 16, 2016 3:12 am

Re: How do passwords work?

Post by Petermint » Mon Jan 08, 2018 10:58 pm

The memory lookahead leak can only leak a limited amount of data at a time, depending on the processor model. If your password is short enough to leak, you could move to a longer password or a passphrase or two factor authentication.

For a virus attack, there are easier and more reliable ways to get your password. Phishing and other tricks are easier than virus attacks. The easiest approach is to wait until you sign up for Faceblab then every aspect of your identity will be on sale to everyone.

Mute Ant
Level 13
Level 13
Posts: 4787
Joined: Tue Sep 03, 2013 7:45 pm

Re: How do passwords work?

Post by Mute Ant » Tue Jan 09, 2018 9:36 am

"the computer has to check my input against something" Yes it does, but not the text you type in, some scrambler-function of that text. The common function is md5sum but there's lots of others...

Setting Up The Account (US Keyboard)
Your password: SqueezeToyRebecca#
Repeat it please: SqueezeToyRebecca#
Machine key: 7fa5f0ed563d61bd608d3f730d52f3e7

Logging In (GB Keyboard (fails))
You enter: SqueezeToyRebecca£
Machine key: d3ccf8c187d13f16e33ac10d868d2686

The key from a mildly-incorrect password is not even close to acceptable. Digest-sum functions are designed so that happens. It is very difficult, not quite impossible, to find an input password that generates a particular machine key. So even if you know what the machine-key is, by sniffing through the files of an inert machine, you can't feasibly reverse-engineer the password that generates that key and log in as that user.
In Chapter One, Boron slays the entire Marketing Department by explaining Asynchronous Protocols.

techsophia
Level 1
Level 1
Posts: 1
Joined: Thu Jan 04, 2018 4:26 am

Re: How do passwords work?

Post by techsophia » Sat Jan 20, 2018 6:28 am

Hello

This part can be a little hairy, but sit tight.

Hash Algorithm When you sign up for an account on a site, you choose a username and a password. Usernames are usually stored in the site's database as plain old text. On the other hand, password was washed before it was stored

A hash function is a mathematical algorithm that will take any size data (such as a password) and will make it a part of the data appearing to look like fixed size.

The data washed 1 character long, the resulting hash would be 60 characters long.
If the data is 20 characters, the hash will be 60 characters long.
If the data is 2,000 characters long, the resulting hash will still be 60 characters long.

The hash function overrides the data, and it spreads / decreases the "secret code" of a certain length. The output of this type of hash function will be unique, and it will always give the same result. In other words, the hash of "cheese" is always the same. But the hash of "cheese" will be very different from the hash of "paneer" (finally low-case "e"). This is the continuation of output and very unique results which are the key here.

Hope it helps you

rene
Level 7
Level 7
Posts: 1762
Joined: Sun Mar 27, 2016 6:58 pm

Re: How do passwords work?

Post by rene » Sat Jan 20, 2018 5:29 pm

techsophia wrote:The output of this type of hash function will be unique [ ... ]
For most practical purposes, sure, but note that essentially, no, certainly not. Mathematically this is obvious: you used a 60 character hash as an example; let's say "a character" is an N-bit value, i.e., can hold 2^N values (8 and 256 for standard bytes). Your hash would then be a (60*N)-bit entity, can hence hold 2^(60*N) possible values. There are clearly more than 2^(60*N) possible passwords so at least two of them must generate the same hash.

The above is for any value of N, and certainly the same argument holds for any value other than 60 as well, which is to say that a fundamental property of hashes is in fact that they are not necessarily unique. This is also important: specific hash functions are to be judged on chances of generating the same hash from non-same data, including the distribution of hashes over all possible ones. When to be used in a cryptographic context, moreover including (practical) irreversibility, when to be used in an error-detection context including minor changes in data having major chance of changes in hash -- and so on.
techsophia wrote:[ ... ] and it will always give the same result.
That, any hash will indeed do...

User avatar
sevendogs
Level 1
Level 1
Posts: 27
Joined: Sun Feb 05, 2017 8:38 pm
Location: Texas

Re: How do passwords work?

Post by sevendogs » Fri Jan 26, 2018 12:55 pm

Not sure this is necessary but I wanted to clarify some terminology because it bugs me. Passwords are hashed, as other posters have mentioned. Passwords are never encrypted, or rather should never be encrypted. The term "encrypted" gets misused but I understand why (universal term for obfuscation). Encryption is two-way because you need to be able to see what you encrypted at some point. Hashing is one way because you NEVER need to see what you have hashed, at least with passwords. No one ever needs to know a password in plain text form other than the user. If an application stores user passwords encrypted, there is a key to be able to decrypt all the passwords. Very bad.

My .02.
HP z800 2x6 core Xeon, 96 GB DDR3 5.5TB SSD, Evga 1050Ti 4GB, Mint 18.2 Cinnamon
"Give a man a truth and he will think for a day. Teach a man to reason and he will think for a lifetime"

Post Reply

Return to “Non-technical Questions”