Skip to main content
Minnesota State College Southeast

Updates from the Web

MSC Southeast's computer and Web chronicles

We don't have your password

(Tech Tips) Permanent link   All Posts

Neither does anyone else - if they are legitimate.

The news about user accounts being stolen from Google, Home Depot, and others, it can be very unnerving. However, good sites don't actually store passwords. They only store a representation of them. Even if your information is stolen, it doesn't mean your password is exposed.

How it works

 

 

Digging Deeper

There are a number of techniques used, but they all use the same basic premise. Here is one of the most common techniques.

When you put in your password into an online account, the password is run through an algorithm. That is, a mathematical calculation is performed. The result is what is saved in the database instead of your password.

The cool part - (getting a bit geeky here)

The result of these mathematical algorithms (you should drop that phrase at your next party), is called a hash. If you use the same type of technique very time, then the same string of characters will always result in the same hash.

For example, using one technique, the password "qwerty123" will always be converted to the hash "2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=". If you use a better password, like "Five5For5Fighting!Google", you get the hash "gsOnlRB5/7LGOSyNTnQjjolSpqumI9UsT5/uNYgnM6A=".

It is this longer string that is saved in the database. If a hacker steals the database information, they can't tell by looking at the hash what your password is. Hashes can't be reversed.

To find out if you used the right password, the website simply runs the same algorithm to check the password. If it matches the hash in the database, you used the right password.

Putting the hash in the password field would result in a completely different hash, so it wouldn't work. So, if you were to put in the qwerty123 hash (2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=) in the password field, you actually get "G4AAO88pl0kITda+I20eX69Pxk6lHGFzfC3l53NF2Ew=" back. It doesn't match, so the hacker can't get in.

Getting a bit more secure

To make things even more difficult for hackers, websites use what is called a salt. This is a string of random characters only the site/database owner knows. This is added to your password before it is turned into a hash. Even if the hacker knows what algorithm is used, without the salt, the hacker can't figure out what the hash should be.

With the salt, the whole thing is really pretty sweet.

What we do at MSC Southeast

More robust systems, such as ours, don't use this technique specifically. We have the benefit of our StarID system. We don't store your password, or its hash. Instead, we have a connection that validates your StarID/password with the State's StarID system.

This is a similar technique used by other government agencies. It allows us to greatly insulate your information from hackers.

Final thought

The techniques outlined above are used by professionals in the Web and security industries. Some, less professional, sites don't use these techniques at all.

It is hard to tell what sites use these techniques and which do not. This is why you should never reuse passwords. If they get your password in one place, it shouldn't work anywhere else - they will certainly try!

Extra links

Find out if your Gmail has been hacked by reading 3 Ways to Check if Your Gmail is Hacked.

Learn about Google's Security Settings (you need to log in first).