Today’s developed methods of storing passwords are so advance that it is practically impossible to crack it, on the other hand it is also true that there are approximately 160,000 Facebook accounts being compromised every single day. To understand how these things are happening, we need to understand how the passwords are stored in the first place

How the passwords are stored

When you fill the signup form on any site and hit submit. All the data that you have entered goes to the database of that particular site. Database is much like a collection of rows and columns where all the data is stored in a structured and organized manner. All the information is stored as it is but not the password. What about the password? You might ask. The problem here is, if someone by any chance gets the access to the database, they will get to know all the passwords. Therefore, passwords cannot be stored in the raw text format. Then, how do we store it?The solution is Hashing

Hashing :

Before storing a password it’s given to a “Hashing algorithm*” which takes the string of text as an input and generates an output (also called as “hash”) which may look random but it is not. The Specialty about the output generated by the hashing algorithm is that firstly, it is unique for each string of text and secondly its irreversible, which means someone with the hash, can never get to the original text. There are many different hashing algorithms like MD5 (an old one), SHA256 etc.

Example of a SHA256 Hash:

“Hello world” : b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9

So every time someone hashes the text “hello world” with SHA256 Algorithm the output is always the same and there is no practical way to know that this hash refers to “hello world” if you don’t know it beforehand.

Nice! Now, we have a form of password that is safe to store and authentic to the user. When logging in, the hash of the password entered in the login page is compared with the hash stored in the Database. If they are the same then the password entered will be considered correct and user gets the access.

Wherever there is a requirement of storing something confidential this method is used. Since hashes are not reversible the only way to login is to know the password, which is not stored in the raw text (at least at the server), therefore there is no chance of someone getting your password. Hence, if you take precautions, passwords literally become uncrackable.

Therefore, now the question arises that, if this is the case then how passwords are compromised. Hackers know that the only way to get access to the passwords is either by tricking the user to give the real password or trying to guess it themselves.

Boot forcing and Dictionary attacks are examples of guessing attacks. In this type of attack, many possible passwords (collection of these passwords is called wordlist) are hashed and then they compared with the original hash of the password. If they match then the text that was used to get that particular hash is the password.

However, this method requires a lot of time, resources and luck as well. A better way that hackers have found is Phishing the targeted victim. In a Phishing attack, a fraudulent attempt is made to obtain sensitive information or data, such as usernames and passwords by impersonating oneself as a trustworthy person or site to share the information with.

If you making a fake Facebook page and convince someone to login there, this will be called Phishing.

How can one defend themselves from such attacks?

Here are five simple tips you can follow:

• Try to keep you password as long (8-20 characters) and random as much as you can also try using special characters in it to make it much harder to guess e.g. “P@$$w0rD!”
• Always login in to the devices that you trust and believe are safe.
• Enable 2-Step Authentication on important accounts.
• Try keeping different passwords for different accounts, this will help in the case of any one password being compromised, then, other accounts will be safe. You can try remembering it or use trusted password managers but never store them in raw text on anything.
• Never auto save and always logout before leaving the system.

Following these methods, will surly increase your security.

By Harsh Kumar – 10D – DPS Nadergul