• Home
• Articles
• Products
• Services
• Resources
• Contact

---

Password Security 101
Password Encryption

How Passwords Are Stored

All modern secure computer systems store users' passwords in an encrypted format. Whenever a user logs in, the password entered is encrypted initially, then compared to the stored encryption of the password associated with the user's login name. A match succeeds and a mismatch fails -- it's that simple!

"Too simple to be very secure, you ask?" It depends. Password encryption is usually a one-way process. This process uses a hashing algorithm, which always produces the same result for a given password, but a very different one if even one character is mis-typed. For example, the MD5 hashing algorithm produces the following encrypted results for the (weak!) passwords "abc4" and "abc5":

Even changing to uppercase produces a very different result (which may clarify why the Caps Lock key is so unforgiving!):

Because hashing algorithms are one-way processes, the hashed result can never be used to recover the password. This fact would suggest that your password would not be exposed even if the entire password database from your workplace, for example, was posted on the Internet for all to see. That is the theory ...

Password Protection

If you are comfortable with the assumption that all systems work this way, be afraid -- be very afraid. For many reasons, this is a dangerous assumption! The theory that your password is well-protected may not hold for any of the following reasons:

1. Strong encryption may not be used.
   
   • Like the weakest link in a chain, the very common LM Hash method is not strong at all!
   • Also common, simple ciphers (e.g. changing a to b, b to c and so on) are neither strong, nor one-way.
   • Do you know what method is being used each time you enter your password?
2. The system you are logging into may fail to encrypt your password before storing it.
   
   • Countless (horrible) software packages use no encryption whatsoever to store passwords!
   • Poorly written website applications are especially common offenders.
3. The password may be exposed prior to encryption.
   
   • Temporary files might be used in the process.
   • The system might be attached to an insecure network.
   • Is the system itself well-protected? (Your plain-text password resides in memory prior to encryption).
4. The system support personnel could be untrustworthy.
   
   • Your bank? Probably trustworthy. Your favorite leisure website? Maybe, maybe not.
5. The system may not really be the one you think it is.
   
   • Phishers will try to get you to disclose sensitive personal information, including your password.
6. Strong passwords actually can be cracked.
   

   • It's important to understand that all strong encryption methods are based on theories. Mathematicians and Computer Scientists have good reasons to believe these theories are solid, but by their very nature, the underlying assumptions cannot be proven. (It is a paradox that a proof may actually result in the complete breakdown of all encryption methods. Google "P=NP" if you are curious.) It really comes done to statistics and computing time. We can say that a strong cipher probably cannot be broken in any reasonable amount of time.

   • Passwords do have a finite length. This means that a brute-force attack will always succeed, given enough computing time. The password policy should always be to use strong passwords, as it takes unreasonable computing times to crack them.

   • Common words or names are often used, making dictionary attacks relatively likely to reproduce the original password.
     

Due to the many inherent weaknesses of using passwords alone, many systems which store sensitive information use 2-factor authentication schemes. But passwords are unlikely to become extinct anytime soon. It is important understand some of the risks and remain vigilant!

Free Random Password Generator
Password Tips
Use Strong Passwords
Longer Passwords Enhance Computer Security
How Passwords are Stored
Use Different Passwords
Passwords in Email
Two Factor Authentication
NT Password Length -- The LM Hash Factor

---

Link to this page

Knowledge is power. The Bitmill Inc. encourages links to our site. While your links to our site are much appreciated, please note that reciprocal links will be considered subject to relevance and quality. To link to this page, please cut and paste the following HTML code into your web page source file.

<a href="http://www.thebitmill.com/articles/password_storage.html">The Bitmill&#174; Inc. -- System Password Storage</a>

Thank you for your interest and support.

Home | Site Map | Products | Services | Resources | Articles | Privacy Policy | Legal | Contact

© 2003-2006 The Bitmill Inc.
All Rights Reserved.