Delinea Blog > How do passwords work?
Written by
Barbara Hoffman
Share:
Any time you want to make a purchase, post a comment in a forum, or even read content on many websites, you’re prompted to create (and remember!) a password. But what’s really going on when you create a password? And how does this process help keep your information safe? When you create a password on a website, that password isn’t stored verbatim on the website’s server. That’s because your password would be freely available if the security of the server were compromised. Instead, your password is put through a process called “hashing,” which significantly improves security (provided your password is strong enough). Password hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm. If a website is hacked, password hashing helps prevent cybercriminals from getting access to your passwords. Instead, they just get access to the encrypted unintelligible “hash” created by your password. A common hash function is md5(), which returns a 32-character string from any input. Below are a few examples of what a hash looks like: Small changes matter a lot – Take a look at examples 1 and 2. Just one digit has been shifted, from an “o” to a “0.” This is a very small change, and yet the second output is unrecognizable from the first. The output length never changes – The input in example 3 is considerably longer than the other examples, yet it produces an output of the same length (32 characters). You could input an entire book into the md5() hash function and you would still get a 32-character string as the output. Repeatable – An input will always give the same output when hashed using the same function. If this weren’t the case, they would just be generating a random output, which would be useless for passwords. (I included the same function in example 1 as example 4 just to see if you were paying attention.) Hard to reverse – Even though a cybercriminal may be able to tell the function used to create a hash, it’s almost impossible to reverse that function and generate the password. In fact, it’s so hard that trying millions of combinations to try and produce the same end result (a brute-force attack) is typically quicker than the calculations required to reverse the hashing process. Let’s look at how password hashing works in practice: Knowing that hashes are the same length regardless of the password you choose, you might be tempted to pick a short, memorable password. In fact, you should do the opposite. The password you choose is critical for keeping your data secure. Once a cybercriminal obtains password hashes from a website, the real process of password hacking begins. This process happens offline, on the cybercriminal’s computer. Cybercriminals put combinations of characters into a hashing function until a hash that matches yours is created. Because the functions themselves are well known, password cybercriminals can easily calculate hashes for known words and other commonly chosen combinations. Then they match the cracked passwords against these dictionaries. These dictionaries go far beyond simple words. They include prefixes, suffixes, the practice of changing letters for numbers (e.g. 1 instead of l), and much more. This means weak passwords can be broken very quickly. You can see how easily simple passwords can be cracked in the blog, Five Most Popular Password Cracking Tools. Not sure how to create a strong password? Try Delinea's Strong Password Generator. Human beings struggle to create strong, memorable passwords. When we fail to do so, we put our financial and personal data at risk. For businesses, the risk is even greater. Even if your network security is strong, if people are using the same passwords for your multiple internal systems, applications, and websites, your network could be breached without anyone hacking in. For example, if a user’s personal email is breached, a cybercriminal might try the same password on their work account, possibly gaining access to sensitive business data. Privileged Access Management (PAM) solutions automatically generate complex passwords and rotate them regularly. So, even if a cybercriminal gains access to a hash, they can’t easily conduct a brute-force attack. PAM solutions help ensure passwords are unique and never shared, so even if cybercriminals get one password, they are less likely to leverage that password to gain additional access. With PAM, privileged users don’t need to remember passwords or remember to change them. Your enterprise password management happens automatically, behind the scenes, without interrupting a user’s productivity. So, that’s how passwords work! Now, learn more about privileged access management. Related Reading: Why you must NOT store enterprise passwords in Excel.How does password hashing work?
From these examples, we can learn several things about hashes:
How is password hashing used for granting access?Is hashing sufficient to keep passwords safe?
For strong password security, you must:
Password management and PAM
Password Management
Other posts you might like
Privileged Password Management 101: What exactly is it?
As the total universe of passwords will likely pass 300 billion in 2020, people and organizations...
4 steps to reduce the risk of shared account passwords
How do you reduce the risk of a security breach when sharing privileged accounts?
There are...
Privileged Password Management 101: What exactly is PPM?
Passwords are one of the top challenges and causes of cyber fatigue for employees. As we move...
As an enthusiast well-versed in cybersecurity, I can attest to the crucial role password security plays in safeguarding sensitive information. The article by Barbara Hoffman on the Delinea Blog provides an insightful exploration of how passwords work and the importance of effective password management.
The article begins by addressing the common practice of creating passwords for various online activities, emphasizing the need to understand the underlying mechanisms that keep our information secure. It introduces the concept of password hashing as a key process in enhancing security.
Password Hashing: The article explains that when users create a password on a website, the password undergoes a process called "hashing." Hashing involves converting the password into a short string of letters and/or numbers using an encryption algorithm. One widely used hash function mentioned is md5(), which returns a fixed-length (32-character) string from any input. The examples provided illustrate key characteristics of hashes:
-
Small Changes Matter: Even a small change in the input, such as a single character alteration, results in a vastly different output hash.
-
Output Length Never Changes: Regardless of the length of the input, the hash output remains a constant length (32 characters).
-
Repeatable: The same input will always produce the same output when hashed using the same function.
-
Hard to Reverse: Hashing is designed to be irreversible, making it extremely difficult for cybercriminals to reconstruct the original password from the hash.
How Password Hashing Grants Access: The article then delves into the practical application of password hashing in the access-granting process:
-
User Registration: A user creates a username and password on a site.
-
Hash Storage: The password undergoes hashing, and the resulting hash is stored in the website's database.
-
Login Process: When the user logs in, the entered password is hashed using the same function.
-
Hash Comparison: The server compares the newly generated hash with the stored hash for the user in the database.
-
Access Granted: If the hashes match, the user is granted access.
Challenges and Best Practices: The article raises awareness about the limitations of hashing, emphasizing the importance of choosing strong, complex passwords. It highlights the risk of password hacking through offline brute-force attacks, where cybercriminals attempt various combinations until a matching hash is found. To enhance password security, the article recommends:
-
Use Strong Passwords: Create long and seemingly random passwords.
-
Periodic Password Changes: Regularly change passwords to minimize the risk of compromise.
-
Avoid Password Reuse: Never reuse passwords across multiple websites.
Role of Privileged Access Management (PAM): The article concludes by addressing the challenges humans face in creating strong and memorable passwords. It introduces Privileged Access Management (PAM) as a solution for businesses to automatically generate and rotate complex passwords. PAM helps ensure unique passwords for different systems, reducing the risk of a widespread breach even if one password is compromised.
In summary, the article provides a comprehensive understanding of password hashing, its implementation in access control, and the importance of robust password management practices, culminating in the introduction of PAM as a strategic solution for enhanced security.
