Schedule a visit online now

Information Technology

Updates from the Web

MSC Southeast's computer and Web chronicles

We don't have your password

(Tech Tips) Permanent link

Neither does anyone else - if they are legitimate.

The news about user accounts being stolen from Google, Home Depot, and others, it can be very unnerving. However, good sites don't actually store passwords. They only store a representation of them. Even if your information is stolen, it doesn't mean your password is exposed.

How it works

 

 

Digging Deeper

There are a number of techniques used, but they all use the same basic premise. Here is one of the most common techniques.

When you put in your password into an online account, the password is run through an algorithm. That is, a mathematical calculation is performed. The result is what is saved in the database instead of your password.

The cool part - (getting a bit geeky here)

The result of these mathematical algorithms (you should drop that phrase at your next party), is called a hash. If you use the same type of technique very time, then the same string of characters will always result in the same hash.

For example, using one technique, the password "qwerty123" will always be converted to the hash "2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=". If you use a better password, like "Five5For5Fighting!Google", you get the hash "gsOnlRB5/7LGOSyNTnQjjolSpqumI9UsT5/uNYgnM6A=".

It is this longer string that is saved in the database. If a hacker steals the database information, they can't tell by looking at the hash what your password is. Hashes can't be reversed.

To find out if you used the right password, the website simply runs the same algorithm to check the password. If it matches the hash in the database, you used the right password.

Putting the hash in the password field would result in a completely different hash, so it wouldn't work. So, if you were to put in the qwerty123 hash (2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=) in the password field, you actually get "G4AAO88pl0kITda+I20eX69Pxk6lHGFzfC3l53NF2Ew=" back. It doesn't match, so the hacker can't get in.

Getting a bit more secure

To make things even more difficult for hackers, websites use what is called a salt. This is a string of random characters only the site/database owner knows. This is added to your password before it is turned into a hash. Even if the hacker knows what algorithm is used, without the salt, the hacker can't figure out what the hash should be.

With the salt, the whole thing is really pretty sweet.

What we do at Southeast Technical

More robust systems, such as ours, don't use this technique specifically. We have the benefit of our StarID system. We don't store your password, or its hash. Instead, we have a connection that validates your StarID/password with the State's StarID system.

This is a similar technique used by other government agencies. It allows us to greatly insulate your information from hackers.

Final thought

The techniques outlined above are used by professionals in the Web and security industries. Some, less professional, sites don't use these techniques at all.

It is hard to tell what sites use these techniques and which do not. This is why you should never reuse passwords. If they get your password in one place, it shouldn't work anywhere else - they will certainly try!

Extra links

Find out if your Gmail has been hacked with Is my email leaked site.

Learn about Google's Security Settings (you need to log in first).


© 2017 Minnesota State College Southeast

RED WING CAMPUS | 308 Pioneer Road | Red Wing, MN 55066 | 651-385-6300
WINONA CAMPUS | 1250 Homer Road | Winona, MN 55987 | 507-453-2700

Minnesota State College Southeast is an affirmative action/equal opportunity educator and employer. ADA accessible. MSC Southeast is committed to a policy of nondiscrimination in employment and education opportunity. No person shall be discriminated against in the terms and conditions of employment, personnel practices, or access to and participation in, programs, services, and activities with regard to race, sex, color, creed, religion, age, national origin, disability, marital status, status with regard to public assistance, or sexual orientation. In addition, discrimination in employment base on membership or activity in a local commission as defined by law is prohibited.

 

Minnnesota State Logo

Minnesota State College Southeast
A member of Minnesota State

This document is available in alternative formats to individuals with disabilities by calling 877-853-8324 or 507-453-2700.