Explain Like I'm Five

19238 readers

49 users here now

Simplifying Complexity, One Answer at a Time!

Rules

Be respectful and inclusive.
No harassment, hate speech, or trolling.
Engage in constructive discussions.
Share relevant content.
Follow guidelines and moderators' instructions.
Use appropriate language and tone.
Report violations.
Foster a continuous learning environment.

founded 2 years ago

MODERATORS

sabbah@lemmy.world

AradFort@lemmy.world

rikudou@lemmings.world

Don_Dickle@lemmy.world

Rikudou_Sage@lemmy.world

ELI5: How does hashing/encryption algorithms keep your password safe? (lemmy.world)

submitted 1 day ago by Gonzako@lemmy.world to c/explainlikeimfive@lemmy.world

15 comments fedilink hide all child comments

I know you gotta store the passwords hashed but doesn't that just move the goalposts? How come someone can't use the hashed end result to get into the service it was used for?

you are viewing a single comment's thread
view the rest of the comments

[–] emb@lemmy.world 8 points 1 day ago* (last edited 1 day ago)

Hash functions only work in one direction. By design, the outputs are not unique, so you can't reverse it. For example, a simplified version might take any number and map it to a 1 digit number. So if you saw the result was 3, you can't know if the original number was 976 or 2265.

Everything in security does just move the goal posts though, you're right.

You can't really use the hashed password to impersonate, because whatever server logic is there to authenticate users will hash it again. But the output from that, a token or cookie or whatever, can sometimes be grabbed and used maliciously. They usually have short lifetimes before they need to be refreshed, but beyond that I don't know how the mitigations work tbh.

Another potential problem is attackers getting the hash, and comparing it to hashes of common passwords, dictionary words, etc. They apply 'salt' (changes to password before hashing) to try and make this harder.