One big misconception about passwords is that the password itself, that thing that you enter into the computer via keyboard or touch screen, is what is checked and verified by a computer before you are permitted to log in.
This is partly correct, and may have been the way things were a long time ago, but it’s incredibly insecure, to the point where storing passwords in their original form, called “plaintext”, is a major risk and is often a violation of Information Security and Fair Use policies in modern workplaces.
So, what really happens when the PC, website, or app is checking my password, and how does it know that it’s the password I used before if it’s not storing the password in plain text?
The answer comes in the form of the hashing function.
The job of the hashing function is to map input of arbitrary size (like a password) to a unique and specifically sized result called the hash.
This is particularly useful for cryptography, because we can take passwords like “apple123” and map them to a particular hash, which may look something like “A0192 C4323 54C12 OP35N VB28P3 NB2345”
The only password which could cause that exact hash is “apple123” (assuming one uses the same hashing algorithm) but, as you can already see, it’s very hard to get an idea of what the password is just by looking at the hash.
This being the case, it is the hash of your password that is stored on the PC/Website/Application instead of your password. When you try to log in by entering your password, the same algorithm is used on the password you entered, and the result is compared with the hash that the computer has stored on it. If the hashes match, your login succeeds!
So, if you’re a hacker, how do you get “apple123” out of that hash?
Certainly not by hand! Once a hacker has a hash, they will feed it to a program which can attempt every possible password in hopes of producing the same hash.
Because this is a lot of work in and of itself, hackers may simply sell the hashes they stole to other hackers and groups in the black market and call it a day. This means that, for any major data breach, there could be multiple hackers or groups working to crack the same set of hashed passwords.
Given the power of modern technology, it would take a hacker mere seconds to generate the correct hash for a password that is only 8 characters long. This is simply because their computer is more than likely powerful enough to generate every possible hash for an 8-character password.
So, assuming that our password is “apple123” on a certain website, and that website gets hacked to the point where hashed passwords are stolen, the hacker has near-instant access to our account.
However, there is a flaw in this strategy that all of us can exploit. Even if the hashes to our passwords are stolen, those passwords could be so long and complex that it would take years or even decades to come up with the correct hash.
This is because every character you add on to a password exponentially increases the amount of work needed to crack it. For example, a 10-character password using only lowercase letters and numbers would take a day to crack, where a 20-character password may take up to 10 trillion years. Try it out for yourself on How Secure Is My Password? | Password Strength Checker | Security.org
One good thing to note here is that, when making a password, length trumps complexity.
Supposing we simply make another 8 character password that’s more complex, like “Appl3123”, that would do almost nothing to diminish the time to crack the password.
So, what if we decided to make our password an easy to remember phrase in plain English? Maybe an abbreviated recipe for fruit salad like “Apples 1st Oranges 2nd Grapes 3rd” could work.
That is a 33-character long password! Given the limits of current technology, and in the absence of any other hints on what your password could be, that hacker could spend the rest of their life trying to crack your password and still walk away empty-handed.
Of course, a 33-character long password can still be a hassle even if it’s easy to remember. Rather than giving yourself several long passwords to memorize, you might be better off using one long password to sign in to a Password Management app or service where you can store all your other passwords securely without having to remember them.