It may seem weird, but Google doesn’t know your password.
Nor Facebook, Youtube Twitter, nor any decent web service.
At least, that is the official position.
We all know the scandal from 2019 when it was revealed that Facebook stored millions users passwords stored in plain text, which was searchable by thousands of Facebook employees, so, knowing this, one cannot say for certain that Internet companies don’t know your password (perhaps they save your passwords somewhere) but, officially, websites shouldn’t know what your password is.
As Youtuber Tom Scott explained in his video, your password shouldn’t be stored in their servers.
That is why when you forget a password, they do not send it to you – they ask you to type in a new one.
Reason why your password shouldn’t be stored in their servers its because it is safer that way.
A hacker or a rogue employee can’t find out what your password is.
This prompts the question – how do they know that you typed correct password, or an incorrect password, when you are logging in?
It is because of „hashing“.
As Tom Scott simplified it, there are certain kind of math operations that are really easy to do one way but are really difficult to reverse.
He used following example:
11 times 17 equals 187.
This is an example of a math operation that is easy to do one way, but difficult to reverse.
For example, if you have a number 187, and you need to find out what two prime numbers multiplied together give you that number, you would have to struggle for a bit.
This is a principle behind pasword hashing, when you type in your pasword, websites use a hashing algorithm to generate a number, and that number is then saved on their servers – not your actual pasword.
Similar to example above, this is an example of math that is simple to do one way but really difficult to reverse.
Hash functions work one way. Despite the fact that you know the hash algorithm, you can’t calculate the input from it.
That is why when system administrators and developers first encountered the security problems with password databases that were stored as plain text, they turned to hashing algorithms for help. What they came up with is, instead of storing your password in a database, they would just store a hash of your password. That is, the number that a hashing algorithm generates when it operates on your password. If a hacker steals the user accounts database, they don’t automatically have all passwords, all they have is a list of hashes.
However, there is a way for a hacker to steal hashes and turn them back into passwords.
Wordfence.com explains how this is done.
For example, lets say a hacker has stolen a password database and now has the hash of the password that ‘mark’ uses. He wants to know the actual password for the ‘mark’ account, so he takes the word “banana” and run it through the same hashing algorithm that the password database uses. He ends up with a number and if the number matches the hash in the password database for user ‘mark’, he now knows his password. If it doesn’t match then he tries ‘pear’ and ‘apple’ and ‘ApplePear435’ and progressively more words and more complex word combinations. So to crack a password a hacker needs to take a very large dictionary of passwords and hash each of them, then compare those hashes to what is in the password database he stole and when he gets a match he knows the original password. The problem is that generating hashes of words takes time. Each word might take a few milliseconds to hash. So a hacker needs a very fast computer to do this.