• Banned
  • 2349 5
    • View Profile
Password management 101 for non-technical users
« on: September 30, 2018, 01:42:15 pm »

First and foremost passwords should never be sent from the user's computer to the server in plain text. Some sort of hashing (I'll explain what that is later) on the part of the user-facing part of the system is required when sending data over to prevent people spying on the communication passing through the routers, or at least make their life much more difficult. This means the server has no way of knowing what the original password is by the time it receives it.

Next, when the "messed up" password is received by the server, it will have to hash it again. Hashing means taking the data and putting it through an algorithm to generate a random bunch of characters. It differs from encryption in that it's one-way - which means that while you can de-encrypt an encrypted text, you can't de-hash a hashed text.

An additional layer of security termed salting might be applied too. This is basically a bunch of random characters that are generated for and unique to every user (called a salt). The purpose of the salt is to be mixed with the original "messed up" password received by the server before it is being hashed. The reason for this is because if a hacker access the database and downloads a list of all passwords that are hashed but not salted, seeing a bunch of same ones will tell that the passwords are the same for all those users - more often than not common passwords like "Password1" (capital P password 1 - sounds familiar?). This salt can be stored in plain text as the hacker wouldn't know how it's applied to the "messed up" password.

More at https://www.prolificskins.com/single-post/2018/09/30/Password-management-101-for-non-technical-users