Plain Text Passwords 10.30.15
When you create an account, you create (or reuse!) a password. this password gets stored. We hear about plain text passwords getting stolen, but what does this mean, and how does it affect you?
When you create an account, the password is stored, then, when you log in, it takes your password, and compares it to the password on file, if they match, you get in.
How does encryption come into this? Lets star very basically. Suppose your password is 1234. If someone hacks into the database with your details in it, they will know you used the password 1234 - and chances are you used it elsewhere.
Very simple, we swap one number for another, so our key is:
0 1 2 3 4 5 6 7 8 9
1 2 3 4 5 6 7 8 9 0
so we put our numbers on the top row, and take out the numbers from the bottom row - 1234 becomes 2345.
How It Works
When you type in your password, the software encrypts it the same way, and compares the encrypted versions. There is no need to keep the password in plain text, so long as you use the same method to compare the passwords as you used to store the password.
Of course, a one character offset like this would be very easy for a human to break. Many passwords are encrypted using what is called an MD5 hash. The explanation of that is beyond the scope of this paper, but if we encrypt 1234 through MD5, this is what we see:
converting that back to 1234 is possible, but its a huge amount of work. Added to that you can include extra information to change the results, this is called salt. The salt will change the results, making it even harder to crack.
Can it be cracked?
Yes. Its not easy, it takes a lot of work, and is often not worth the time and effort. You can also make it harder to decrypt by using good passwords. And you can protect yourself further by using different passwords for different things. Your Facebook password should be different to your Amazon and Twitter passwords.