this post was submitted on 17 Jul 2023
421 points (88.6% liked)
Programmer Humor
32464 readers
132 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yeah, you actually better not save the users passwords in plain text or in an encrypted way it could be decrypted. You rather save a (salted) hashed string of the password. When a user logs in you compare the hashed value of the password the user typed in against the hashed value in your database.
What is hashed? Think of it like a crossfoot of a number:
Let's say you have a number 69: It's crossfoot is (6+9) 15. But if someone steals this crossfoot they can't know the original number it's coming from. It could be 78 or 87.
Dumb question: isn't it irrelevant for the malicous party if it's 78 or 87 per your example, because the login only checks the hash anyway? Won't both numbers succesfully login?
Additional to what others have said: The "salted" part is very relevant for storing.
There aren't soooo many different hashing algorithms people use. So, let's simplify the hashing again with the crossfoot example.
Let's say, 60% of websites use this one algorithm (crossfoot) for storing your password, and someone steals the password "hashes" (and the login / email). I could ran a program that creates me a list of all possible crossfoots for all numbers for 1 to 100000.
This would give me an easy lookup table for finding the "real" number behind those hashes. (Those tables exists. Look up "rainbow tables")
Buuuut what if I use a little bit of salt (and pepper pepper pepper) before doing my hashing / crossfooting?
Let's use the pw "69" again and use a salt with a random number "420" and add them all together:
6 + 9 + 420 = 435
This hash wouldn't be in my previous mentioned lookup table. Use different salts for every user and at least the lookup problem isn't such a big problem anymore.
This was super helpful 🙏🏼 sent me down a whole other rabbit hole of learning