Why won't services just email me my password instead of making me set a new one?

They don’t know your password.

I’m dead serious. They don’t know your password, they didn’t store your
password, and they couldn’t tell you if they wanted to.

In fact, if they could tell you that means they’re doing security
wrong.

So how do they know you got your password right when you login? Well, they
do store something … it’s just not your password.

]]>

A Password Stored is Not a Password Seen

One would think that for any service for which you need a password that service must store a copy of your password. I mean, they need to compare what you typed in against that to see if you got it right, right?

Not at all.

Websites that do security properly actually don’t store your password at all; they store what’s called a “hash” of your password – a unique (*1) number that’s computed from the password. It’s kind of like encryption, but not really – particularly since it only works in one direction.

That “only works one way” is pretty key to how this can work; what it means is that a hash of a password cannot be reversed to recover the password.

For example, say I use an 8 character password “password”. A hash of “password” is “cc3a0280e4fc1415930899896574e118”. There are different hashing algorithms, so that’s just one example. Remember, though, it’s just a number. I’ve represented it in hexadecimal here, but in reality this hash algorithm returns is a 256 bit number – meaning it ranges from 0 to 2 raised to the 256th power minus 1. That’s a number between 0 and … well, a really big number. In our traditional decimal system it’s slightly over 1 followed by 77 zeros.

That number is what’s stored with your account, not your actual password.

What Happens When You Set Your Password

When you set your password – after having verified it’s you by successfully logging in, or by using some password reset link:

• The service computes the hash of the password you entered. The result, as we’ve seen, is just a (big) number.

• The service stores that number with your account username and whatever else they keep about your account.

• The service discards the password. They forget it completely.

Yep. They forget your password. All they keep is that number.

What Happens When You Login

When you enter your username (or email or other ID) and password into a login form and press “Login”:

• The service looks up your username. If that username doesn’t exist, the login fails of course.

• The service then computes the hash number of whatever you typed in as your password.

• The service then compares the number it just calculated with the number it had stored in your account as the hash of your password.

• If the numbers don’t match, you didn’t type in the same password as before, and the login fails.

• If the numbers match – meaning that the hash of your password that was stored matches the hash of the password you entered – then you must’ve typed in the correct password, and the login proceeds.

Wait, What? Hash?

I’m fairly certain that the most confusing part of this is that thing called a “hash”. If it makes sense to you, then you can skip this. It’s important enough, though, that I want to see if I can simplify the concept just a little more.

Let’s say you have a box. At one end of the box you put in a password, and when you do that a number pops out from the other side. That number has three important characteristics:

• Every different password you put in – no matter how small the difference – is guaranteed to cause a different number to come out. Always. (*1)

• Every time you put in the same password you will get the same number. Always.

• The box only works in one direction: put in passwords, get out numbers. There is no way to put in a number and get the matching password back. No way. (*2)

Other than those rules, you really don’t care how the box works or how it comes up with its numbers – it just does.

So, you have two passwords and you want to see if they match. Without looking at each password, just put them through the box one at a time. If the number that comes out of the box is the same each time, then the two passwords must be the same. We don’t know what they are, but we know that they’re the same.

That also means that if you save the number you can see later if the password typed in now (login) is the same as the password typed in before (when you set your password). All without paying attention to or remembering exactly what the password is.

Why Bother?

In short: so no one can steal your password by cracking into the master password database.

The master password database doesn’t have it.

Quite literally the only person who knows your password is you – unless you’ve shared it with someone else of course.

Services that do it wrong – those that actually do store and remember your password – are the services that are most likely to have some serious account breeches. Someone breaks in and steals the database containing all user accounts and (real) passwords and they have instant access to all those accounts. Had the passwords not been stored, but instead a hash used, then the hacker would have next to nothing.

Similarly, services that do it wrong and are willing to email you your password are even worse. Email is a fundamentally insecure medium – your password is emailed to you in unencrypted plain text and could be read by someone sniffing your internet connection. The only truly secure way is to get a link – preferably https – to reset your password, allowing you to set a new one.

So if your service can’t tell you your password and won’t email it to you be thankful, not upset. They’re probably doing security – or at least this part of it – correctly.

Caveats (aka Never Say Never)

There are two statements I made above as absolutes that pedants may argue are technically incorrect:

*1: hashes are unique, and you’re always guaranteed to get a different number for a different password is not 100% true. It’s is statistically true, in that the odds against two passwords generating the same hash value are enormous. It simply doesn’t happen in the real world. But the math (it’s an algorithm and these are just numbers) says it might. And of course the odds change depending on which hash algorithm is being used, but all the ones commonly in use fall into that “it ain’t gonna happen” category.

*2: you can’t convert a hash number back to its original password. This is actually 100% true – it’s algorithmically impossible to calculate the password from a hash. However, you might be able to look it up. A technique known as “rainbow tables” uses massive amounts of storage to build huge lists of passwords and the hash values that they would generate using popular hash algorithms. This way hackers avoid computation completely – they just grab a hash value and look up the corresponding password in the list.

This is why “good passwords” are so incredibly important. Rainbow tables – as large as they might be – don’t contain all possible passwords, just the more common. Solution: don’t use a common password or a common style of password (such as combining two words).

Don’t believe me? Here: search for cc3a0280e4fc1415930899896574e118. That’s the hash of the password “password” using the MD5 hashing algorithm that I used at the beginning of this article.