this post was submitted on 17 Jul 2023
394 points (88.0% liked)

Programmer Humor

32042 readers
1102 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
[email protected]
[email protected]
394
Creating a password in 2023 be like (programming.dev)
submitted 1 year ago by [email protected] to c/[email protected]
93 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 14 points 1 year ago (8 children)

Yeah, you actually better not save the users passwords in plain text or in an encrypted way it could be decrypted. You rather save a (salted) hashed string of the password. When a user logs in you compare the hashed value of the password the user typed in against the hashed value in your database.

What is hashed? Think of it like a crossfoot of a number:

Let's say you have a number 69: It's crossfoot is (6+9) 15. But if someone steals this crossfoot they can't know the original number it's coming from. It could be 78 or 87.

[–] [email protected] 8 points 1 year ago (6 children)

Dumb question: isn't it irrelevant for the malicous party if it's 78 or 87 per your example, because the login only checks the hash anyway? Won't both numbers succesfully login?

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

Additional to what others have said: The "salted" part is very relevant for storing.

There aren't soooo many different hashing algorithms people use. So, let's simplify the hashing again with the crossfoot example.

Let's say, 60% of websites use this one algorithm (crossfoot) for storing your password, and someone steals the password "hashes" (and the login / email). I could ran a program that creates me a list of all possible crossfoots for all numbers for 1 to 100000.

This would give me an easy lookup table for finding the "real" number behind those hashes. (Those tables exists. Look up "rainbow tables")

Buuuut what if I use a little bit of salt (and pepper pepper pepper) before doing my hashing / crossfooting?

Let's use the pw "69" again and use a salt with a random number "420" and add them all together:

6 + 9 + 420 = 435

This hash wouldn't be in my previous mentioned lookup table. Use different salts for every user and at least the lookup problem isn't such a big problem anymore.

[–] [email protected] 3 points 1 year ago

This was super helpful 🙏🏼 sent me down a whole other rabbit hole of learning

load more comments (4 replies)
load more comments (5 replies)