Post 9tZ82PKlYh9tfktLE0 by trawzified@fosstodon.org
 (DIR) More posts by trawzified@fosstodon.org
 (DIR) Post #9tZ7Cmx2VMnNrVBCyG by kev@fosstodon.org
       2020-03-31T11:53:27Z
       
       0 likes, 3 repeats
       
       I imagine most people here already know this, but just in case you have ever wondered how websites check your password without actually knowing your #password, here's how. 🙂 https://kevq.uk/how-websites-check-your-password/
       
 (DIR) Post #9tZ82PKlYh9tfktLE0 by trawzified@fosstodon.org
       2020-03-31T12:02:23Z
       
       0 likes, 0 repeats
       
       @kev I think it's pretty important to also mention encryption here. Hashing alone isn't a safe way to store passwords, there are tons of rainbow tables around.
       
 (DIR) Post #9tZ87gDIEETjTGuUTY by kev@fosstodon.org
       2020-03-31T12:03:41Z
       
       0 likes, 0 repeats
       
       @trawzified like said in the conclusion section, this isn't an all encompassing post on how password security works. It's basically an intro to hashing. That's why it doesn't mention collisions, other algorithms, or salting etc.
       
 (DIR) Post #9tZ8Avhj5fFkNrh8Jk by trawzified@fosstodon.org
       2020-03-31T12:04:07Z
       
       0 likes, 0 repeats
       
       @kev Ah, right.
       
 (DIR) Post #9tZBgtJBphPO5C9MHo by FrankS@fosstodon.org
       2020-03-31T12:42:46Z
       
       0 likes, 0 repeats
       
       @kev To me, this explanation falls short one step. Can I not intercept the hash of a password and use this value to authenticate?
       
 (DIR) Post #9tZCVBt91kpWBcx6DQ by kev@fosstodon.org
       2020-03-31T12:52:48Z
       
       0 likes, 0 repeats
       
       @FrankS no, because the has is never exposed to the user. You potentially could if you had compromised the server, but again, this article wasn't about MiTM attacks. It's a basic overview of how hashing and authentication works.
       
 (DIR) Post #9tZDYYforxOPfytBdw by FrankS@fosstodon.org
       2020-03-31T13:04:35Z
       
       0 likes, 0 repeats
       
       @kev So the transfer of the hash is protected by encryption (like SSL)?
       
 (DIR) Post #9tZEdYa6jt3enCAHSa by CLLCT@fosstodon.org
       2020-03-31T13:16:42Z
       
       0 likes, 0 repeats
       
       @kev of course I kno....nope no clue...interesting read thank you....
       
 (DIR) Post #9tZEpmc6OT2lmsvZo0 by brad@toot.cafe
       2020-03-31T13:18:50Z
       
       0 likes, 0 repeats
       
       @kev only Great article :). But, because I’ve been reading up on a type of password authenticated key exchange called secure remote password ... it might be fairer to say “without _storing_” rather than “without knowing”. Doesn’t your password make it to the server as plaintext before hashing? At that point you could say that the server sorta “knows” it. Pedantic, I know, but I’ve been struggling to get my head around this stuff and I’m hoping it’s worth it :P
       
 (DIR) Post #9tZGVnW3Wp5ehehJE8 by brad@toot.cafe
       2020-03-31T13:37:49Z
       
       0 likes, 0 repeats
       
       @kev Great article :). But, only because I’ve been reading up on a type of password authenticated key exchange called secure remote password ... it might be fairer to say “without _storing_” rather than “without knowing”. Doesn’t your password make it to the server as plaintext before hashing? At that point you could say that the server sorta “knows” it. Pedantic, I know, but I’ve been struggling to get my head around this stuff and I’m hoping it’s worth it :P
       
 (DIR) Post #9tZKUm0e2ngHYclwkC by kev@fosstodon.org
       2020-03-31T14:22:23Z
       
       0 likes, 0 repeats
       
       @FrankS no. The hash is never transmitted from the user to the server. The password is, then this is hashed by the server, which is then compared to the stored version.Passwords can be intercepted if a site isn't using encryption, that's why TLS is so important:I wrote about that too: https://kevq.uk/why-https-is-important/
       
 (DIR) Post #9tZKfMTNKSRjXhG9bM by kev@fosstodon.org
       2020-03-31T14:24:15Z
       
       0 likes, 0 repeats
       
       @brad yeah, the server has to kinda know at some point, as it needs to hash the plaintext input. As long as the site supports TLS though, the password should be protected during transmission.I didn't want to go too technical in the article - it's important for people to understand the basics of how all this works (I think), so they can better protect themselves. If I went too technical, it would be boring for many readers. 🙂
       
 (DIR) Post #9tZxbqdz6krgAdXOQi by skunksarebetter@fosstodon.org
       2020-03-31T21:40:51Z
       
       0 likes, 0 repeats
       
       @trawzified @kev Services usually don't use encryption for password safekeeping since it's reversable. For simple applications hashing with a random salt is good enough.For secure things key derivation algorithms like PBKDF2 or Argon are used. These algorithms effectively hash the password hundreds to millions of times while using extra memory which makes the speed at which an GPU or ASIC could brute force it drastically slower while not imposing too much of a penalty for genuine applications.
       
 (DIR) Post #9tZxrqq09fuFPAmzsu by skunksarebetter@fosstodon.org
       2020-03-31T21:43:45Z
       
       0 likes, 0 repeats
       
       @trawzified @kev Both techniques use salts, which are cryptographically random strings of bits that are hashed with the password. Salts are very useful since they do not need to be kept secret, unlike encryption keys.I should mention that I'm not a cryptographer, this is just stuff that I've accumulated by learning about cryptography outside of a professional/academic environment.
       
 (DIR) Post #9tZyEBDF5AqSy2J6G0 by skunksarebetter@fosstodon.org
       2020-03-31T21:47:43Z
       
       0 likes, 0 repeats
       
       @trawzified @kev Important thing that I forgot to mention: each salt is unique to each user. If each salt is unique then rainbow tables are ineffective, since the same password will never hash to the same value since they use different salts. Also, the salts must be random and not the username, otherwise other types of rainbow tables can be used (like one for the admin salt).
       
 (DIR) Post #9tcVedZDy8mTEwjT7Y by Nathanrmays77@fosstodon.org
       2020-04-02T03:10:42Z
       
       0 likes, 0 repeats
       
       @kev I actually did not know that fact.  I'm familiar with the hashing concept from Nandroid backup verification, is that loosely the same concept?
       
 (DIR) Post #9tcj29DVlEDbSs7KYC by kev@fosstodon.org
       2020-04-02T05:41:33Z
       
       0 likes, 0 repeats
       
       @Nathanrmays77 it is. The other way in which hashing is commonly used, is file integrity checks. So once you have a known good file (like a backup) generate a hash. If the file subsequently changes via corruption etc. the hash would change too.So if you ever need your backup, download it, generate a hash and compare them. If they match, you know the backup is good.This is also why things like ISO image downloads often display their hash too.