How companies store your passwords

aydogdy (57) · 7 years ago

For the password to remain only your secret, it is usually enough to follow three simple rules. Not to try to come up with short easy-to-remember passwords, do not use the same password for different sites, do not enter passwords on computers you can't trust. I like the method of Bruce Schneider, expert and author of books on information security and cryptography. It suggests using sentences that turn into a password. For example, "This little piggy went to market" can do something like "tlpWENT2m". A nine-character password that will not be in any dictionary.

$1.54

klorine (25) · 7 years ago

Actually the nine character password also be used in a dictionary by adding some rules of combination. The whole content from wikipedia can be downloaded and added all to a dictionary. Even social media posts and comments can be scrapped and used in a dictionary.

$0.00

kiefpreston.com (64) · 7 years ago

thats true and scary AF

$0.70

wanuma (26) · 7 years ago

Well your password, however strong it is as weak as any webservice's security and password handling capabilities. If they use a http site to transfer your password and do like what twitter did in logging the password before encrypting it, or worse just save it as it is on their server then you are doomed.

So the first rule is USE HTTPS EVERYWHERE EXTENTION AND NEVER USE THE SAME PASSWORD ON DIFFERENT SITES.

$0.00

all-life (45) · 7 years ago

Reading this article reminds me of the recent breach of Twitter (although I believe the passwords were properly hashed but the deciphering key was compromised?!)

$0.23

rockz (51) · 7 years ago

hehe yeah, it was the reason I wrote this article.
No in hashing is no deciphering key. A deciphering key only exists in encryption systems that work on both sites, but as explained you only can hash plain to hash. Hash to plain is not possible, therefor no deciphering exists in hashing.

The problem with twitter was, that they are logged the password before they hashed it.
Like this:

User enters password as plaintext -> send to twitter server -> LOGGED PASSWORD as plain (they should not do that) -> hashed the password -> notify the user if password was correct or not.

all-life (45) · 7 years ago

Thank you very much for the detailed explanation, now I understand exactly what happened at Twitter.
BTW that reminds me that I should change my password there ASAP :)

$0.16

diya28 (53) · 7 years ago

I always forget my passwords:(

$0.17

rockz (51) · 7 years ago

hehe try using https://keepassxc.org/
This should help you! :)

$0.00

klorine (25) · 7 years ago

I use LastPass to remember my passwords because I sign up at so many sites everyday and I can't use same password for each one of them plus I need to be very strong, so it does the job for me.

$0.00

positivethink (47) · 7 years ago

I always try to read your writing, but today's writing is more helpful than the other day. Because the password is the key to online security. Hopefully the text will be useful for everyone

$0.10

4 votes

creativeidea (50) · 7 years ago

@creativeidea says, My Friends! @rockz Thank you so much for informing everyone by posting Password Help. Often password hacking is heard so everyone should use the complex word password.

$0.10

3 votes

janemorane (73) · 7 years ago

wow like really it important information i have heard for the first time

Even if now an attacker or employee steals the password database its useless for them since they cant generate the passwords from the hashes.
like really ??

rockz (51) · 7 years ago

Yeah, the only way an attacker has to obtain the password is to hash and check it character by character.
This is called brutforce attack. And this needs a lot of computing power. You can check here how long it would take to bruteforce your password approx.: https://howsecureismypassword.net/

$0.00

janemorane (73) · 7 years ago

ohh ok thanks :)

powerhd (42) · 7 years ago

great and helpfull post

mdsolehinsabtu (29) · 7 years ago

Ah isn't this concept the bedrock of blockchain technology too? SHA256 seems to lit some of my lightbulbs.

rockz (51) · 7 years ago

Yeah hashing also plays a huge part in blockchain tech.
For example you can generate a public key from a private key but never vice versa. Otherwise all wallets could be hacked. :)

$0.00

gpalav (49) · 7 years ago

Hash is appropriate, but maybe in future we'll see more security implemented like OTP, Fingerprints, Biometrics, etc etc clubbed with eachother for more security.

wuxing (44) · 7 years ago

The original can also be like this, learning

msena (60) · 7 years ago

Great information...at first time i read about it how companies store my password. Really awesome system to store our password. Thanks a lot sir @rockz for sharing the valuable information.

xawi (71) · 7 years ago

Very informative @rockz like we when we send messg to anyone through wallet so we use hash tag space and then messg so messg encrypted no one can see it's like that?