Why Google doesn’t know your password?

It may seem weird, but Google doesn’t know your password.

Nor Facebook, Youtube Twitter, nor any decent web service.

At least, that is the official position.

We all know the scandal from 2019 when it was revealed that Facebook stored millions users passwords stored in plain text, which was searchable by thousands of Facebook employees, so, knowing this, one cannot say for certain that Internet companies don’t know your password (perhaps they save your passwords somewhere) but, officially, websites shouldn’t know what your password is.

As Youtuber Tom Scott explained in his video, your password shouldn’t be stored in their servers.

That is why when you forget a password, they do not send it to you – they ask you to type in a new one.

Reason why your password shouldn’t be stored in their servers its because it is safer that way.

A hacker or a rogue employee can’t find out what your password is.

This prompts the question – how do they know that you typed correct password, or an incorrect password, when you are logging in?

It is because of „hashing“.

As Tom Scott simplified it, there are certain kind of math operations that are really easy to do one way but are really difficult to reverse.

He used following example:

11 times 17 equals 187.

This is an example of a math operation that is easy to do one way, but difficult to reverse.

For example, if you have a number 187, and you need to find out what two prime numbers multiplied together give you that number, you would have to struggle for a bit.

This is a principle behind pasword hashing, when you type in your pasword, websites use a  hashing algorithm to generate a number, and that number is then saved on their servers – not your actual pasword.

Similar to example above, this is an example of math that is simple to do one way but really difficult to reverse.

Hash functions work one way. Despite the fact that you know the hash algorithm, you can’t  calculate the input from it.

That is why when system administrators and developers first encountered the security problems with password databases that were stored as plain text, they turned to hashing algorithms for help. What they came up with is, instead of storing your password in a database, they would just store a hash of your password. That is, the number that a hashing algorithm generates when it operates on your password. If a hacker steals the user accounts database, they don’t automatically have all passwords, all they have is a list of hashes.

However, there is a way for a hacker to steal hashes and turn them back into passwords.

Wordfence.com explains how this is done.

For example, lets say a hacker has stolen a password database and now has the hash of the password that ‘mark’ uses. He wants to know the actual password for the ‘mark’ account, so he takes the word “banana” and run it through the same hashing algorithm that the password database uses. He ends up with a number and if the number matches the hash in the password database for user ‘mark’, he now knows his password. If it doesn’t match then he tries ‘pear’ and ‘apple’ and ‘ApplePear435’ and progressively more words and more complex word combinations.  So to crack a password a hacker needs to take a very large dictionary of passwords and hash each of them, then compare those hashes to what is in the password database he stole and when he gets a match he knows the original password. The problem is that generating hashes of words takes time. Each word might take a few milliseconds to hash. So a hacker needs a very fast computer to do this.


View Comments (71)

  • An outstanding share, I simply provided this onto an associate who was doing a little analysis on this. As well as he in fact purchased me morning meal since I discovered it for him. smile. So let me reword that: Thnx for the reward! However yeah Thnkx for spending the moment to discuss this, I really feel highly regarding it as well as love finding out more on this subject. When possible, as you become expertise, would you mind updating your blog with even more information? It is very practical for me. Big thumb up for this post!

  • Understand that there is always room for improvement in your game of football.

  • Do these work outs under the guidance of your coach or a trainer so that you don't end up injuring yourself, but do push yourself to your limits.

  • The next time I read a blog, I hope that it doesn't dissatisfy me as high as this. I imply, I understand it was my selection to read, yet I really assumed youd have something interesting to claim. All I listen to is a lot of yawping regarding something that you can repair if you werent also busy seeking focus.

  • I love what you guys are up too. This type of clever work and coverage!
    Keep up the excellent works guys I've incorporated you guys to

  • I uncovered your blog website on google as well as check a few of your early messages. Continue to maintain the very good run. I just added up your RSS feed to my MSN News Viewers. Looking for ahead to learning more from you later on!?

This website uses cookies.