A password is used to log in to most websites and services. But why do people tell you that “potato” isn’t a good password to use? And why should you use a different password for every website?
Technical basis
I’ll keep this section short, but there’s a few things you *need* to know for this part.
Hash function
Don’t worry, this isn’t math. The theory behind it is math, but I’ll try to skip most of it.
First, we’ll explain what a *hash value* is. A hash value is a kind of word with a fixed amount of characters. Here, we’ll use a popular hash value length of 16 characters. An example of such a hash value looks like this:
c257d3eea046aff0d2613da918ca424d
It doesn’t make any sense to a human, it’s just the result of a mathematical calculation.
This hash value is the result of a so-called hash function. A hash function is nothing more than a mathematical function that asks for anything, usually a word, sentence or even a password, and uses it mixed with some black magic to generate a hash value. Examples include:
- Using potato gives you 8ee2027983915ec78acc45027d874316
- Using password gives you 5f4dcc3b5aa765d61d8327deb882cf99
- Using very-complicated-password-1234 gives you 158a09c78b85b0116b81be315e56f749
As you can see, even if we use a long password, the length of the hash value doesn’t change. Why is this useful? Imagine this:
Say you have a hash value length of just 1 character. Say the words potato and password both result in a hash value of B. Now, if you just saw this B, could you tell me which word was used?
No, you couldn’t, and that’s the most important thing we use hash functions for. Every hash value has an infinite amount of words that have it as result. If I gave you the hash value from the beginning, could you tell me which word I used? No, no one can. The only way to get to the hash is to know what word I used.
(Note: I said there are an infinite number of words that result in the same hash value, and that’s true, but there are a *lot* of combinations you’d have to try. For the most popular hash function you’d need to try 13,407,807,929,942,597,099,574,024,998,205,846,127,479,365,820,592,393,377,723,561,443,721,764,030,073,546,976,801,874,298,166,903,427,690,031,858,186,486,050,853,753,882,811,946,569,946,433,649,006,084,096 different words before you have a chance (which is close to the amount of atoms in the universe), so attempting it is futile. If you’re feeling smart, do try to find out what sentence I used at the beginning. The hash function is called MD5.)
The useful part
That was a lot of math, wasn’t it? Let’s ease up now. To sum up:
- A hash function uses a word or sentence to turn it into a word (hash value) with a fixed length.
- If you have just the hash value, you have no way of knowing what word we started with.
Some of you might say “But wait a second! You listed some above, so I know for sure that 8ee2027983915ec78acc45027d874316 is the hash value of potato!” And yes, you’re completely right! This is an important point and we’ll get back to it later.
What are hash functions useful for? Imagine this: You log into a website with a username and a password, which saves both. The website data gets out somehow, and now you have your password on the internet. Ugh.
But imagine if the website didn’t save your password, but just the hash value of your password! That way, if the data got out, no one would know your password because they just knew the hash values (and remember, you can’t know what word it was generated with)! In fact, this is how websites these days work.
- You register on a website with a password.
- The website generates the hash value of your password, and saves that.
- When you login again, you input your password.
- The website generates the hash value of the password you entered and compares it to the saved hash value.
- If they’re the same, congrats, you got in!
Now, if you can’t know the word that was used, why do we need to use good passwords? I can just use potato, and no one will know because the password is hashed! Right?
…but wait a second. I listed the hash value of potato up there. It’s no longer secret. If people just search for 8ee2027983915ec78acc45027d874316, they will find this and know it’s the result of potato!
This is how it works in the real world. Surely you have seen articles about “These are the 10 most used passwords” and so on. All the evil people do is take a list like that (for example this one), generate the hash value of each of them, and then they have a list! Try it yourself here! Take each of the hash values in the list above and paste them into the site. You’ll see that only one of them cannot be found, and that is the long complicated password! (of course, at some point the website will find it, because I just posted it here.)
I didn’t even have to tell you, because you just saw with your own eyes that more complicated passwords are more secure!
Different passwords
Now, why should you use different passwords on different sites? Because, as it turns out, programmers are lazy. Why use this fancy pants hash thing if you can just save the password? No one will hack us anyways, right?
…even the best hash function can’t save you if it isn’t used.
Summary
- Use secure passwords, for example using this generator.
- Don’t reuse passwords – if just one site doesn’t use hashes, your precious password will be at risk!
- If a site can send you your password (for example through email), then they’re storing it instead of using a hash function! Consider not using the site and make sure you don’t use the password anywhere else.
Technical disclaimer
(this is no longer part of the article, it is just some technical details about the article)
- I used MD5 because even though it’s evil, it’s short and digestible by a beginner.
- The number of tries was generated by using the bit count of SHA-512 and equates to 2512.
- If you ever find out what I used for the hash at the beginning, email me and I’ll make sure to list you here.