Believe it or not, online services don’t necessarily know your password.
Some services actually can tell you your password, and that’s a really, really bad thing. Among other things, it calls in to question that service’s understanding of security.
A tiny bit of math magic
First, let me explain why services don’t actually need to know your password.
There’s a mathematical concept called a one-way hash. What that means is that using a well-defined algorithm, you can transform a string of characters, like a password, into a very large number. This algorithm has some really important properties.
- First, it’s consistent: for any specific string you enter, it will always return the same number for that string.
- Second, it’s extremely unlikely that two different strings would produce the same number. It’s not impossible, but it’s so extremely unlikely as to be practically impossible.
- Third, and perhaps most important, it’s impossible to go the other way. It’s impossible to take a number and somehow calculate from that number the string that was used to create it. (That’s why it’s called a one-way hash.)
I know, it all sounds pretty magical, and in many ways it feels like it is. It’s a fundamental concept or tenet of cryptography that relies on things like hashes. This isn’t a very simple mathematical formula. We’re definitely talking some really complex algorithms here, that can only be done by computer. But it really does work.
Checking your password versus knowing your password
What this means is that the correct way for an online service to handle passwords is this:
- When you set up your password, or when you change it, the service takes the password you enter (that string) and immediately calculates a hash value. It then stores this hash value in its account database, and completely discards your actual password.
- When you later login, the service calculates the hash value of whatever it is you typed in as your password. If that value matches the value that was calculated when you first created the password (the value that’s stored in their database) then by definition, you must have typed in the same thing both times – in other words you typed in the correct password.
So the service really only needs to save this hash value; it never has to keep your actual password.
Why it matters
Why is this so important?
Well, I’m sure you’ve heard of various database breaches in the news over the last couple of years. This is the scenario where a hacker breaks into the actual servers of some service and steals their entire database of accounts. If that database contains only properly-created hash values, the hacker can’t get your password because there’s no way to go from that hash value to what the string was that created it.
If on the other hand, the database contains the actual passwords; the hackers will have have complete access to all of the accounts in that database.
That’s bad. I mean that’s really bad.
So if you encounter a service that actually can tell you what your password is, they’re not doing security right. And I’d be very wary of what other kinds of security-related things that they might also not be doing right.