Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why Can’t Online Services Tell Me What My Password Is?

//
Why can’t an online service like Gmail or Hotmail or any of the others, just tell me what my password is rather than forcing me to reset it all the time? I mean, they have to know what it is anyway so that they can check that I’ve entered it in correctly. Right?

Believe it or not, online services don’t necessarily know your password.

Some services actually can tell you your password, and that’s a really, really bad thing. Among other things, it calls in to question that service’s understanding of security.

Become a Patron of Ask Leo! and go ad-free!

A tiny bit of math magic

First, let me explain why services don’t actually need to know your password.

There’s a mathematical concept called a one-way hash. What that means is that using a well-defined algorithm, you can transform a string of characters, like a password, into a very large number. This algorithm has some really important properties.

  • First, it’s consistent: for any specific string you enter, it will always return the same number for that string.
  • Second, it’s extremely unlikely that two different strings would produce the same number. It’s not impossible, but it’s so extremely unlikely as to be practically impossible.
  • Third, and perhaps most important, it’s impossible to go the other way. It’s impossible to take a number and somehow calculate from that number the string that was used to create it. (That’s why it’s called a one-way hash.)

I know, it all sounds pretty magical, and in many ways it feels like it is. It’s a fundamental concept or tenet of cryptography that relies on things like hashes. This isn’t a very simple mathematical formula. We’re definitely talking some really complex algorithms here, that can only be done by computer. But it really does work.

Password HashChecking your password versus knowing your password

What this means is that the correct way for an online service to handle passwords is this:

  • When you set up your password, or when you change it, the service takes the password you enter (that string) and immediately calculates a hash value. It then stores this hash value in its account database, and completely discards your actual password.
  • When you later login, the service calculates the hash value of whatever it is you typed in as your password. If that value matches the value that was calculated when you first created the password (the value that’s stored in their database) then by definition, you must have typed in the same thing both times – in other words you typed in the correct password.

So the service really only needs to save this hash value; it never has to keep your actual password.

Why it matters

Why is this so important?

Well, I’m sure you’ve heard of various database breaches in the news over the last couple of years. This is the scenario where a hacker breaks into the actual servers of some service and steals their entire database of accounts. If that database contains only properly-created hash values, the hacker can’t get your password because there’s no way to go from that hash value to what the string was that created it.

If on the other hand, the database contains the actual passwords; the hackers will have have complete access to all of the accounts in that database.

That’s bad. I mean that’s really bad.

So if you encounter a service that actually can tell you what your password is, they’re not doing security right. And I’d be very wary of what other kinds of security-related things that they might also not be doing right.

17 comments on “Why Can’t Online Services Tell Me What My Password Is?”

  1. If you have a simple password, they may be able to use a rainbow table to convert the hash into your password. If your password is PASSWORD for example, if they know how the passwords are hashed, the run various simple passwords like PASSWORD through the hash and create a table called a rainbow table. That can then be used to go from the hash to the password.

    Reply
  2. Thanks for the opportunity to get an answer to my biggest computer problem. I have been using computers since my first Radio Shack (no hard drive) computer. Now I am 72 and have been diagnosed with memory problems. This has caused much stress! I try to keep my passwords in a book but there are times it doesn’t work. This could be because I had to change the password and forgot to change the book or lately, I just don’t know. I am on my iPad a lot and will miss it!

    Is there a safe program I can use on the iPad and lap top (not Mac) that will remember passwords? Hope you can keep me using my computer!

    Doug

    Reply
  3. Hi Leo,
    I found this article very informative and interesting but it has prompted one question and that is why we may have to change all of our passwords as a result of Heartbleed ?

    Reply
    • Because they MAY have been captured by hackers during the time the various servers were vulnerable to the HeartBleed problem. That means it’s theoretically possible that any time in the last two years when you logged into a service which was HeartBleed vulnerable a hacker could have stolen your password. I don’t know that this is/was common, but since we can’t prove it one way or the other changing your passwords is the safest option.

      Reply
  4. If I have understood correctly, (and I found your explanation brilliantly clear), every one of the major thefts of passwords which have been publicised over the years, (as well as the Heartbleed thefts), are actually a manifestation of the fact that the host is maintaining the actual passwords on their servers. If they were storing only the hash, the hackers could not steal them. This speaks volumes to the security services of the major sites we all subscribe to.

    Reply
    • This is not quite correct.

      First, most major thefts have not been “of passwords“. They’ve been of account databases with hashed passwords. Nonetheless, common best practice after such a theft – even without passwords – is to encourage people to change their passwords “just in case”. (Obviously if the theft was truly “of passwords”, then yes, those were bad security setups. But as I said, if you read the accounts closely more are not.)

      Second, the situation is more complex than I got into. (Remember, the question was only why a service couldn’t tell you your password.) It can sometimes be possible to use tables of hashed passwords to break into accounts 1) if the hash is done “poorly”, and 2) if poor passwords are used. I think someone else mentioned rainbow tables – compute, off-line, the hashes for all possible 8 character passwords, then just look up the hash to find the password. There are techniques to make this more secure both on the server (do hashes properly) and in your control (longer passwords being the one in your control).

      Finally, poor password choice remains a serious issue. Very often simply knowing the account login ID, which is stored clearly in the database, and then just trying the top 1000 most popular passwords (slowly, over a few days on a distributed botnet) will break in to an alarming number of accounts.

      Reply
  5. Another good article Leo, but a couple things I’d add:
    As far as Heartbleed goes:
    DO NOT CHANGE YOUR PASSWORDS UNLESS YOU CAN VERIFY THESE 3 THINGS:
    1) The website was running the affected version of OpenSSL (v1.0.1 and v1.0.2 beta)
    2) The website has applied the necessary patch for the affected versions of OpenSSL
    3) The website has updated their certificates
    Very basically, if your website is still running OpenSSL v1.0.0 it is not vulnerable to Heartbleed. Heartbleed allows the affected OpenSSL memory to be read on the website’s server. If it wasn’t patched and certificates updated, the site is still vulnerable and you’re putting a new password into the memory (which remains active until rebooted) for the hackers to access. Servers can go for months or years without rebooting. Wait until all 3 of these things are verified, or you’re wasting your time and putting your new password into memory to be hacked.

    I’m still not a fan of changing passwords without a good reason – you’ve given it to someone intentionally or unintentionally, or malware has infected your system. A password which was strong a decade ago remains strong today. 🙂

    Reply
    • Which is why I referenced the LastPass tool – it’ll advise you whether or not the password should be changed based on those criteria.

      Reply
  6. Most passwords will be locked out if you make a set # of attempts without success, so why would a botnet attempt be able to work where there are 1000 attempts?

    Reply
    • That’s why I said slow & distributed. Slow enough to not trigger the “too many failures too quickly” problem and distributed to not trigger “too many failures from the same IP address”. Even if it takes a few days the results would be valuable to the hackers.

      Reply
  7. Let me see if I understand correctly. If I click on the “LostPassword” link at a site where I have an account, and they actually email me my password, that is not good, but if they email me a link to enable me to reset my password or give a me a “hint”
    I have provided previously, that is ok?

    Reply
    • If they can mail you a password, it means they have your password on their servers, and that is vulnerable to mass theft. If they send you a password reset key, that is essentially a new one time password with which you can create a new password. This one time password is sent to an email address which only you *should* have access to. I stress should because there may be ways of gaming that system if they’ve hacked that email account, but it protects the vast majority of passwords on their system.

      Reply
  8. Thank you for making the password reset situation clear. You answered a question I had not thought to ask and I will now cease being frustrated when the situation arises. I have been using Password Safe for years but it is not always handy when I am away from home.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.