How do passwords work?

How Do Passwords Work?

2 Flares 2 Flares ×

If you’ve been using the internet for any length of time, you’ve probably accessed tens or even hundreds of websites that require a password. In most places online, a login and password is almost mandatory, regardless of whether you want to post in a forum or buy an item. Some sites even require you to create a username and password just to read their content.

But what is going on when you create a password – and how does this process help keep your information safe?

You might be surprised to learn that when you fill in a form and create a password on a website, that password is not stored on the website’s server. This is because if the security of the server were compromised, your password would be freely available to that hacker.

Instead, your password is put through a process or function called “hashing” which significantly improves the security (as long as your password is good enough – more on that later).

Let’s take a look at how hashing works, and then we’ll see how this is put to use when you create a password.

What is Hashing and How does It Work?

Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using a mathematical function.

A common hash function is md5(), which returns a 32-long character string from any input. Let’s see a few examples of what a hash looks like:

  1. md5(helloworld) = fc5e038d38a57032085441e7fe7010b0
  2. md5(hell0world) = 0a123b92f789055b946659e816834465
  3. md5(g84js;l238fl-242ldfsosd98234) = 42e7862f4ad5225471866d2023fc4cca#
  4. md5(helloworld) = fc5e038d38a57032085441e7fe7010b0

From these three examples we can learn several things about hashes:

  • The Avalanche Effect – A small change in the input file creates a large change in the output. Take a look at example 1 and 2, just one digit has been shifted, from an “o” to a “0” This is a very small change, and yet the second output is unrecognizable from the first.
  • The Output Length Never Changes – The input in example 3 is considerably longer than the input in example 1 and 2, yet it produces an output of the same length (32 characters). You could input an entire book into the md5() hash function and you would still get a 32 character string as the output.
  • Repeatable – If you looked at example 1 and 4 and thought they were the same – you were right. An input will always give the same output when hashed using the same function. If this weren’t the case, they would just be giving a random output – which would be useless for passwords.
  • Hard to Reverse – Because of the way the hashing function works it is almost impossible to reverse. In fact, it is so hard to reverse that trying millions of combinations to try and produce the same end result (a brute force attack) is considered quicker than the calculations required to reverse the process.

How is Hashing Used For Storing Passwords?

As we’ve mentioned before, a password is not normally stored on a server. Instead, hashes are used to provide access. Let’s look at how that works in practice:

Step 1 – A user visits a site and fills in a form to create their username and password.

Step 2 – That password is put through a hash function – and the hash is stored in the database.

Step 3 – When a user logs in they enter their password again on the site.

Step 4 – That entered password is run through the same hashing function as was used before.

Step 5 – The server checks this hash against the one stored for the user in the database.

Step 6 – If the two hashes match exactly the user is granted access.

How Does Hashing Effect Your Security?

When a website is hacked and data lost, the hackers don’t get access to your password because it isn’t stored there. Instead, they just get access to the hash created by your password.

Because hashes are so hard to reverse, having access to this hash doesn’t mean they can generate your password easily, even though they know the function used to create it.

On learning this, and knowing that hashes are the same length regardless of the password you choose, you might be tempted to pick a short, easy to remember password, assuming that it doesn’t matter what you choose.

The opposite is true: the password you choose is critical for keeping your data secure.

The hashing process is not meant to replace the security of a password but add to it. All a hash does is ensure that if a website is hacked, your password is still secure. Once a hacker has the hash your security entirely depends on how hard it is to crack your password.

Once the website has been hacked, and the password hashes obtained, the real process of password hacking begins. This process happens offline, on the hacker’s computer. Combinations of characters are put into a hashing function until a hash that matches yours is created.

Because the functions themselves are well known, password hackers can easily calculate hashes for known words and other commonly chosen combinations in advance, and then match the cracked passwords up against these dictionaries. These dictionaries go far beyond simple words and include prefixes, suffixes, the practice of changing letters for numbers (e.g. 1 instead of l), and much more. This means weak passwords are broken very quickly, without the need for trial and error.

If you choose a weak password, you are relying on the website’s own security to protect you.

If you want to have strong security you need to:

  • Create a long, and seemingly random password.
  • Change that password periodically.
  • Not re-use that password on other websites.

For more information about choosing a secure password, you might want to read our previous article, How to Create Strong, Memorable Passwords.

Of course, most of us struggle to create strong, memorable passwords, but when we fail to do so, we put our financial and personal data at risk.

For businesses, the risk is even greater. Even if your network security is strong, if your users are using the same password for both your network and other websites, your security could be breached without anyone hacking in. For example, if a user’s personal email is breached the hacker might then try the same password on their work account, possibly giving them access to sensitive business data.

Because businesses cannot be certain a user isn’t reusing passwords we recommend using identity and access management software such as OnionID. This software can ensure your passwords are unique, strong, and hard to crack, securing your data and protecting you from intellectual property theft.


Photo by Yuri Samollov, CC BY 2.0

Share this post

  • Nice indepth Article James, written in a way that is easy to understand too. I had to migrate a website a while back and I only had access to its old database and had a look at the passwords which were in MD5 format, so I just reset them to new ones, from what I gathered it was easy to convert a password to MD5 but not in reverse so that basically confirms what you have said. What I would like to know is if the OnionID software primarily focuses on protecting a Business or its clients too ?

    • Anirvana

      HI There! Thank you for posting a comment. Onion ID’s primary use case is to protect access to company cloud/on-prem servers and cloud/native applications by internal company employees. However, we have had customers who have taken an Onion ID account and used it to control how contractors, bloggers etc. non-employees can access a company resource like a server or a blog or a web app. If this answer is unclear please let us know.


2 Flares Twitter 0 Facebook 0 Google+ 1 Reddit 0 LinkedIn 1 Buffer 0 2 Flares ×