Password Security 101
Password Encryption
How Passwords Are Stored
All modern secure computer systems store users' passwords in an encrypted format. Whenever a user logs in, the password entered is encrypted initially, then compared to the stored encryption of the password associated with the user's login name. A match succeeds and a mismatch fails -- it's that simple!
"Too simple to be very secure, you ask?" It depends. Password encryption is usually a one-way process. This process uses a hashing algorithm, which always produces the same result for a given password, but a very different one if even one character is mis-typed. For example, the MD5 hashing algorithm produces the following encrypted results for the (weak!) passwords "abc4" and "abc5":
Password: abc4
Encryption: e47e4f3a015b2bf63c3411fd87ab3579
Password: abc5
Encryption: ab0b044fabbb28cc6de6c7398ce691e2
Even changing to uppercase produces a very different result (which may clarify why the Caps Lock key is so unforgiving!):
Password: ABC4
Encryption: ac3053745f6e1c8299a62d8732793fe6
Because hashing algorithms are one-way processes, the hashed result can never be used to recover the password. This fact would suggest that your password would not be exposed even if the entire password database from your workplace, for example, was posted on the Internet for all to see. That is the theory ...
Password Protection
If you are comfortable with the assumption that all systems work this way, be afraid -- be very afraid. For many reasons, this is a dangerous assumption! The theory that your password is well-protected may not hold for any of the following reasons:
- Strong encryption may not be
used.
- Like the weakest link in a chain, the very common LM Hash method is not strong at all!
- Also common, simple ciphers (e.g. changing a to b, b to c and so on) are neither strong, nor one-way.
- Do you know what method is being used each time you enter your password?
- The system you are logging into may fail to
encrypt your password before storing it.
- Countless (horrible) software packages use no encryption whatsoever to store passwords!
- Poorly written website applications are especially common offenders.
- The password may be exposed prior to
encryption.
- Temporary files might be used in the process.
- The system might be attached to an insecure network.
- Is the system itself well-protected? (Your plain-text password resides in memory prior to encryption).
- The system support personnel could be
untrustworthy.
- Your bank? Probably trustworthy. Your favorite leisure website? Maybe, maybe not.
- The system may not really be the one you
think it is.
- Phishers will try to get you to disclose sensitive personal information, including your password.
- Strong passwords actually can be
cracked.
-
It's important to understand that all strong encryption methods are based on theories. Mathematicians and Computer Scientists have good reasons to believe these theories are solid, but by their very nature, the underlying assumptions cannot be proven. (It is a paradox that a proof may actually result in the complete breakdown of all encryption methods. Google "P=NP" if you are curious.) It really comes done to statistics and computing time. We can say that a strong cipher probably cannot be broken in any reasonable amount of time.
-
Passwords do have a finite length. This means that a brute-force attack will always succeed, given enough computing time. The password policy should always be to use strong passwords, as it takes unreasonable computing times to crack them.
-
Common words or names are often used, making dictionary attacks relatively likely to reproduce the original password.
-
Due to the many inherent weaknesses of using passwords alone, many systems which store sensitive information use 2-factor authentication schemes. But passwords are unlikely to become extinct anytime soon. It is important understand some of the risks and remain vigilant!
Link To This Page
Knowledge is power. The Bitmill Inc. encourages links to our site. To link to this page, please cut and paste the following HTML code into your web page source file.
<a href="http://www.thebitmill.com/articles/password_storage.html">System Password Storage</a>
Your link will look like this:
System Password Storage
Thank you for your interest and support.
