But hey, wait a minute. How are they able to verify me if they don’t know my password?
How are they able to know that my password is incorrect?
How are they able to know I’ve used a particular password 5 years ago?
Welcome to technology.
Relax, get a cup of tea and let’s dive into some of the fascinating tricks behind password storage. You should come out geekier than before, and your IT guy shouldn’t confuse you anymore.
Let’s start from where it all started.
In the beginning was a “Plain Text”
Your email and passwords are saved just as you typed them. If you type abc123 as password, abc123 will be saved on the computer. It’s plain. That’s why it’s called Plain Text.
Example is shown below. We all can see it. It’s plain. The first password is zongo2342.
These details are saved the first time you create an account.
The next time you login, whatever you type will be matched against this sheet to see if it’s already saved. If YES, then you will be logged in. Else you’re shown a message like below
The problem with saving things just as the user typed it is, it helps the bad guys.
- When I get access to that computer where the file is saved [Assuming I’m outsider or inside worker]
- I will login into the computer
- Search for that file with the usernames and password
- Bam! I have accounts of all the clients of that company.
- I can login to everyone’s account now
- What I can do with those plain usernames and password is entirely up to me.
The important thing to note here is:
The only hard work the bad guy has to do is to search for the file in the computer. And what the security guys must do is to hide this excel file so deep in the computer that it will be difficult to find.
The security industry realized this is a bad practice.
Should we even trust those who are hiding the file?
No! In computer, we must trust no one.
That led to the security community bringing another trick. A trick called Encryption.
I hope you still remember the main challenge in saving things in Plain Text
- Those hiding it knows what it is and where it is.
- When outsider gets access to that file, will straight away start login into others account, because everything is plain.
This is the challenge Encryption came to solve.
A LITTLE BIT OF HISTORY
Turning what you want to save into “something else” before saving it is an old trick. It didn’t start with computer.
Once upon a time, time time!
There lived a Greek ambassador in Persia who wanted to send a message to Asian cities to rise up against the Persian king. But he knew the one to send the message will be in trouble when found.
What must he do to send the message?
Then Idea came!
- He let one of his slaves shaved his head
- He wrote the message on the head
- Waited until the hair grew back
- Then the messenger set off.
The message was delivered peacefully, and the rebellion started.
The idea of encryption is simple. Hide it. When you even trace the root word from Greek, it means “Hidden”.
You can read more about History of Encryption from this document. For us, that is not our lookout. We just want to know if Facebook, Google, Microsoft, Yahoo, NSS Secretariat, NABCO secretariat, GES, Company IT Guys, or any other body we have account with, knows our password.
No! They don’t! but let’s move on to see why.
HOW IS PASSWORD ENCRYPTED?
As said earlier, encrypting password simply means hiding it by changing it “something else“.
The next time user tries to login, that “something else” will be reversed to the actual thing and matched against what the user just typed. Or what the user just typed will be encrypted again, and matched against what is already saved. Either way will work fine.
Technically, it will be turned into “something else” using a formula (a Key). It’s only that formula that can reverse it.
Example will explain that better.
Assuming the above excel sheet is where we stored the Pain Text, then the Encrypted password using Key X will look like
[Column D] below.
I intentionally left [COLUMN C] so we can compare with the “something else”( [COLUMN D]) but in the system, Column D will replace Column C.
Can you guess the formula(Key) I used to change [Column C] to [Column D]?
Do yourself a favor, DO NOT CONTINUE TO READ UNTIL YOU FIGURE OUT THE TRICK I USED! You can give to your child as assignment.
The formula(KEY) I used above is simple. I just spell the passwords in reverse order.
- So when user password is 10, the reverse will be 01.
- When the password is 123, the reverse will be 321
- When the password is abc, the reverse will be cba
- The password for kaunda is (abc123), therefore the reverse is 321cba.
So the formula, or the trick, is to store the user password in reverse order.
Now, when kaunda enters his password, example, abc123, the system will reverse it and compare it with the value at Column D, row 21 (thus, cell D21).
- The process of converting abc123 to 321cba is called ENCRYPTION.
- The process of reversing 321cba back to the original abc123 is called DECRYPTION.
Note: You do Decryption using a formula, which I’v said it’s technically called a KEY. Feel free to call it Encryption Function or Encryption Algorithm.
Ha! We are safe now, from both Inside criminals and outside criminals, right?
Unfortunately, the encryption trick isn’t a holy savior. It’s just a false sense of security. Encryption has three big flaws.
- Both the excel file and the Key to decrypt it are hiding on the same computer. Maybe one in some one-corner in Drive C and the other in another corner inn Drive Z. But they are all on the same computer. What that means is, both the Insider Criminal and the Outside Criminal can still get it. They just have to search for two things (the excel file and the Encryption Key). Remember, under Plain Text, they only have to search for the Excel File. This time around, they will have to search for the KEY too.
- There is no further work when the Plain Text file is found. But the bad guy must do additional work to decrypting the Excel file before it can be used. She can’t directly login with 321cba. She must decrypt that with the Key to get abc123
- We’ve used the KEYS for a while now, so computer blacksmiths are able to easily “duplicate it”. In order words, the existing encryption keys are not reliable again. People have researched so much into all existing encryption formulas that some can even guess what formula was used to encrypt a particular data, just by seeing the encrypted data. Some of the Encryption Formulas are called ENCRYPT(), MD5. In short, Encryption is breakable.
EXAMPLE OF ENCRYPTION USING MD5
Remember, we are diving into the ocean together. Don’t leave me alone. It’s getting a bit technical though.
Now that I know you won’t leave me alone, let’s encrypt our data with MD5 Formula.
When the passwords in our excel sheet is encrypted using MD5 Formula, we get below. Ignore the Red, blue, black writings at the top. Just focus on the Excel-like sheet below, Especially Column E (MD5_Formula)
Let’s do some small changes first. Since we are diving too deep, we can’t use excel again. Excel can’t give us the protection we need at this level. So we will now assume the user login details are saved in a software called MS SQLSEVER. MS SQLSERVER is a powerful database management system.
We can move on now!
Take a hard look at what we are getting, under Column E (MD5_Formula) above.
- It’s not Chinese
- It’s Not Arabic
- It’s not Latin.
- It doesn’t look like Twi too
- and it’s definitely not English
It’s just “Something Else”
Note: Like I said above, the actual password will not be saved. Only the encrypted version that is saved.
It’s actually something like this:
Take another note: Kaunda’s password is not more the reverse of acb123, it’s entirely something else. No soul can guess what the actual thing is. If you even stick Obinim Sticker on it, you still won’t.
Unfortunately, with enough time, the average computer can take ¾þŸi†»ƒBµÙp°ô7 as input, and guess the original value that was encrypted. We will learn more about computer’s computational powers as we move on.
So, encryption is not the end of the story.
Whetin man go do then?
There are few other tricks. One of them is called Hashing.
Hashing trick is similar to encryption. The main difference between Encryption and Hashing is that:
- In encryption, YOU CAN get a formula that will reverse ¾þŸi†»ƒBµÙp°ô7 back to abc123.
- But in hashing, YOU CAN NEVER reverse ¾þŸi†»ƒBµÙp°ô7 back to abc123.
Some of the Hashing Formulas are
When abc123 is hashed using SHA1 formula, you will get something like below.
Once again, ignore the Blue, Red and Black colors up there
You can see that the format of the hash value is similar to when we used the MD5 formula. But like I said earlier, there is no technique that can convert ‰ü çFPòlÞ±;è¨ÉÕž/ back to abc123. At least in practice.
You might read an article that says:
If you give a bad guy a very powerful computer, and maybe 1 million years of time, she will be able to tell you the original value that was hashed to give 0xA2CB5F7BB85DF88BAFE16ACC20224E2A181E7FA4.
But is one million years time rational?
Needless to say, the above string is the hash value of the word “idiot”., using ShA1 formula (or function or algorithm)
Advantages of Hashing
- You can not reverse the results.
- You don’t need to store any KEY
Now, when internal workers even see this file, there is nothing they can do about it. The GOOD NEWS is, the hashing or encryption formulas are not done by any of the big giants. There is a complete body that does them. The big guys like Facebook, Google, Microsoft will only have to use those encryption or hashing formulas.
There are occasions that they develop their own formulas too for other small companies to use. In such cases too, there are still separate bodies that test to see if there is no kuluulu in the formulas.
We are not done yet! Hackers got smarter too.
They still found a way around hashing. That trick is called Brute-Force Attack. One of the things you need in BF attack is called Rainbow Table(RT). RT is your number one arsenal to over come the Hashing trick.
Brute-Force attack simply means, attack the computer with no sympathy. Don’t sympathize at all, and never stop until you get what you want. If it even have to take you “few” years.
Before talking about Rainbow Table Attack, let’s see something called Dictionary Attack first. That will clear the way for us to see the rainbow colors clearly. Dictionary attack is one of the children of Bruce-Force attack. Another one is the Rainbow Table Attack.
How dictionary attack work is straight forward.
Let’s assume you want to get my password I use for Facebook login
Let’s assume you already know my login email or username
- Pick any dictionary of your choice. I will choose Oxford Dictionary.
- Write every word in the dictionary in an excel file. Let’s assume Oxford Dictionary contains 200,000 words. Your excel file will therefore contain 200,000 words.
- Try my email and the first word in the excel sheet.
- Try my email and the second word in the excel sheet, if the first word is wrong.
- Try my email and the third word in the excel if the first and second words are wrong.
- Keep trying till one matches.
- The one that matches is my passowrd.
That’s it, you’ve hack my Faceook account!
What happens, if my password is not any word in Oxford Dictionary?
For every word, try different combinations.
Example will make it better.
- Assuming you try my email and the password “idiot” and it failed.
- Then try my email and the password “toidi” [thus, reading “idiot” in reverse order”
- If it still doesn’t work, try changing only the position of “i” and “t”. Try all possible permutations of “idiot”
- When done, try the permutation in Capital letters too.
- When all fail, THEN move to the next word in the file and start the different permutations again.
- When permutations of all the words in all the Oxford dictionary fails, try all the words in Longman Dictionary.
- Then try Cambridge dictionary. In short, try all the permutations on all the possible English dictionaries.
- When you still can’t find a match, try all French Dictionaries. Then all Spanish dictionaries. Then all Arabic dictionaries. Then Chinese dictionaries. Then Italian dictionary, then Greek Dictionary, then Latin Dictionary. Then Twi Dictionary, Then Hausa Dictionary, The Dagbanli Dictionary, Then Ga dictionary, then Frafra Dictionary, etc
Still you can’t find a match?
MAHN, THEN JUST GIVE THE FUCK UP! THAT MEANS YOU CAN’T HACK THAT PERSON USING DICTIONARY ATTACK. TRY ANOTHER METHOD.
It’s impossible for human to do the 8 things I just described above. But for computers, it’s possible.
In fact, it’s not a task design for human. You don’t have to spend your time searching for dictionaries and writing words down in excel sheet. That is a task purely for special computers.
What the bad guys do is to buy already made dictionary files from the dark web (thus, Internet black market) and use.
HOW FAST CAN A COMPUTER FIND YOUR PASSWORD USING DICTIONARY ATTACK.
Computer can try 1000 words in a second. OR 10,000. Some might even be able to try one million guesses a second.
Below is an image of how long it will take for a powerful computer to crack my password format. This is not exactly my password, but that is how it appears in terms of Length or complexity.
From the image above, it will take the one of the most powerful computers 11.52 thousand trillion centuries to crack my password. Assuming that computer is able to guess one hundred trillion words per second.
Don’t worry, it doesn’t make sense to me either.
But the lesson we can learn from Dictionary attack is
- Do not use any word in any dictionary on earth, as your password.
- Do not use variations of words in dictionary.
When you follow the above two rules, then no way dictionary attack can get you.
NOW, BACK TO THE RAINBOW ATTACK.
Just as there are already made dictionary files available for sale, there are files too that has hash values of almost all known password on earth. And they are for sale too. Sometimes for free. It’s possible to get the dictionary files too for free.
DIFFERENCE BETWEEN DICTIONARY AND RAINBOW TABLE
If dictionary attack file contains abc134 THEN rainbow table contains both abc123 and the hash value, ‰ü çFPòlÞ±;è¨ÉÕž/
In short, Dictionary has only words. Rainbow table has both the words and their corresponding hash value. They are pre-computed.
HOW DOES RAINBOW ATTACK WORK
- Steal any hashed password file from any system.
- Take the first hash value in the stolen file, compare with the first hash value in your rainbow table.
- If both match, then the corresponding word in the Rainbow Table is the user’s password.
- If both don’t match, then compare the stolen hash value with the second hash value in the rainbow table.
- Keep comparing till you find a match.
That is how Rainbow Attack works. The Rainbow table can contain trillions of common hashed passwords, but computers can go through all quickly. Maybe a day or two.
I will repeat again, the concept is same as Dictionary attack. The difference is
- Dictionary has only words BUT Rainbow table has both the words and their hash values.
- Dictionary has Words or permutations of words from real dictionary BUT Rainbow Table has most common passwords on earth. It could be from dictionary it could be from the moon.
Note: Because of the number of times you will have to try the guessing, Brute-Force attack are normally done OFFLINE. IF you try it on real live computers on the Internet, your IP will be blocked quickly.
That is why on most online system, after 3 or 5 failed attempts, you will be stopped. That stopping is a guide against brute-force attack.
Facebook for instance will start presenting you with some nonsense images, tasking you to identify your friends. They just want to make sure you are real, and not some computer setup to do brute-force attack, whiles the owner is “boilinig” at Kwahu mountains.
HOW FAR CAN WE GO AGAIN?
Not much! We’ve come far in our dive, we need to stop but the problem is, we are still not safe from the bad guys. So how can we stop?
Let’s see 2 more ways the password industry is using to make sure Internal IT Guys or Outside bad guys don’t have access to your password. And even if they do, it will be useless to use it for any harm
THE NEXT TECHNOLOGY IS CALLED SALTING.
The name itself gives a clue. “SALTing”.
In salting, you are only adding little spices to your hashing function. We already know what hashing is.
Salt = Hash + “something else”.
Assuming am too stupid, and my password is “foolish ”
Fine, I am stupid, but the Tech industry as a whole is not stupid.
“12348323” OR “/fd0033gf” OR “boy” or any test will be added to your password before it is saved. Just to make it longer. The longer it is, the stronger it becomes. What is added to the password before it is hashed and saved is called “Salt”.
Therefore when a “boy” salt is added to my password, my password will be “foolish boy”. Salting happens behind the scene, on our behalf, we have no clue.
FINALLY, there is another trick called Slow Hashing.
That is simple too. We won’t spend much time here.
The whole Idea of Slow Hashing is to INTENTIONALLY hashing formulas that are slow in computation. Some formulas are done to be slow. It’s intentional. And there is a good reason for that.
The good news with that slowness is that. It will take a bad guy a long time to go through his dictionary words. That will make his attack slow.
Instead of being able to guess 1,000,000 dictionary words in a second, he will be able to guess say, only 100 in a second.
SO FAR SO LONG
So far we’ve seen the general methods used to store user password. It’s not exhaustive. There are lot more I have no clue.
- Plain Text
- Slow Hashing
One important thing is different companies use different formulas. Some combine two, three or 4 formulas to encrypt or hash the password.
WHAT IS THE SIMPLE LESSON IN ALL THIS
- Saving password in plain text is haram
- Encrypting password is forbidden because it can be reserved
- Hashing alone is not enough
- The current industry practice is salting or slow hashing
So it’s the hash values that FACEBOOK, GOOGLE, YAHOO, MICROSOFT, TWITTER, INSTAGRAM, LINKEDIN, PANACEA, PAYMASTER, your school system, your work systems, websites you login, your IT Guy can see. Not the actual passwords.
And even they themselves can’t reverse the hash value to get the original password you entered.
This is why on every system, you can only reset your lost password to something NEW, but there is no way to get the old password back. Your original password is thrown away. No system saves.
Any system that is able to get you your lost password is a criminal system. Run away from it.
THANKS FOR YOUR TIME.
Feel free to lemme know at the comment section
- Your contribution
- Your comment
- Your criticism
- Your suggestion
- Your correction
We can also get in touch on 0234809010 or on telegram t.me/internetbusiness