Helping people with computers... one answer at a time.

A service practicing proper security actually doesn't know your password. I'll cover how that works and why it's very important.

I forgot my password, and I want it back. I don't want to reset it, I just want [random online service] to tell me what it is so I don't have to create a new password. Why do they want to make me to reset the password when I just want them to tell me what the password is?

They don't know your password.

I'm dead serious. They don't know your password, they didn't store your password, and they couldn't tell you if they wanted to.

In fact, if they could tell you that means they're doing security wrong.

So how do they know you got your password right when you login? Well, they do store something ... it's just not your password.

A Password Stored is Not a Password Seen

One would think that for any service for which you need a password that service must store a copy of your password. I mean, they need to compare what you typed in against that to see if you got it right, right?

Not at all.

Websites that do security properly actually don't store your password at all; they store what's called a "hash" of your password - a unique (*1) number that's computed from the password. It's kind of like encryption, but not really - particularly since it only works in one direction.

That "only works one way" is pretty key to how this can work; what it means is that a hash of a password cannot be reversed to recover the password.

"Services that do it wrong - those that actually do store and remember your password - are the services that are most likely to have some serious account breeches."

For example, say I use an 8 character password "password". A hash of "password" is "cc3a0280e4fc1415930899896574e118". There are different hashing algorithms, so that's just one example. Remember, though, it's just a number. I've represented it in hexadecimal here, but in reality this hash algorithm returns is a 256 bit number - meaning it ranges from 0 to 2 raised to the 256th power minus 1. That's a number between 0 and ... well, a really big number. In our traditional decimal system it's slightly over 1 followed by 77 zeros.

That number is what's stored with your account, not your actual password.

What Happens When You Set Your Password

When you set your password - after having verified it's you by successfully logging in, or by using some password reset link:

  • The service computes the hash of the password you entered. The result, as we've seen, is just a (big) number.

  • The service stores that number with your account username and whatever else they keep about your account.

  • The service discards the password. They forget it completely.

Yep. They forget your password. All they keep is that number.

What Happens When You Login

When you enter your username (or email or other ID) and password into a login form and press "Login":

  • The service looks up your username. If that username doesn't exist, the login fails of course.

  • The service then computes the hash number of whatever you typed in as your password.

  • The service then compares the number it just calculated with the number it had stored in your account as the hash of your password.

  • If the numbers don't match, you didn't type in the same password as before, and the login fails.

  • If the numbers match - meaning that the hash of your password that was stored matches the hash of the password you entered - then you must've typed in the correct password, and the login proceeds.

Wait, What? Hash?

I'm fairly certain that the most confusing part of this is that thing called a "hash". If it makes sense to you, then you can skip this. It's important enough, though, that I want to see if I can simplify the concept just a little more.

Let's say you have a box. At one end of the box you put in a password, and when you do that a number pops out from the other side. That number has three important characteristics:

  • Every different password you put in - no matter how small the difference - is guaranteed to cause a different number to come out. Always. (*1)

  • Every time you put in the same password you will get the same number. Always.

  • The box only works in one direction: put in passwords, get out numbers. There is no way to put in a number and get the matching password back. No way. (*2)

Other than those rules, you really don't care how the box works or how it comes up with its numbers - it just does.

So, you have two passwords and you want to see if they match. Without looking at each password, just put them through the box one at a time. If the number that comes out of the box is the same each time, then the two passwords must be the same. We don't know what they are, but we know that they're the same.

That also means that if you save the number you can see later if the password typed in now (login) is the same as the password typed in before (when you set your password). All without paying attention to or remembering exactly what the password is.

Why Bother?

In short: so no one can steal your password by cracking into the master password database.

The master password database doesn't have it.

Quite literally the only person who knows your password is you - unless you've shared it with someone else of course.

Services that do it wrong - those that actually do store and remember your password - are the services that are most likely to have some serious account breeches. Someone breaks in and steals the database containing all user accounts and (real) passwords and they have instant access to all those accounts. Had the passwords not been stored, but instead a hash used, then the hacker would have next to nothing.

Similarly, services that do it wrong and are willing to email you your password are even worse. Email is a fundamentally insecure medium - your password is emailed to you in unencrypted plain text and could be read by someone sniffing your internet connection. The only truly secure way is to get a link - preferably https - to reset your password, allowing you to set a new one.

So if your service can't tell you your password and won't email it to you be thankful, not upset. They're probably doing security - or at least this part of it - correctly.

Caveats (aka Never Say Never)

There are two statements I made above as absolutes that pedants may argue are technically incorrect:

*1: hashes are unique, and you're always guaranteed to get a different number for a different password is not 100% true. It's is statistically true, in that the odds against two passwords generating the same hash value are enormous. It simply doesn't happen in the real world. But the math (it's an algorithm and these are just numbers) says it might. And of course the odds change depending on which hash algorithm is being used, but all the ones commonly in use fall into that "it ain't gonna happen" category.

*2: you can't convert a hash number back to its original password. This is actually 100% true - it's algorithmically impossible to calculate the password from a hash. However, you might be able to look it up. A technique known as "rainbow tables" uses massive amounts of storage to build huge lists of passwords and the hash values that they would generate using popular hash algorithms. This way hackers avoid computation completely - they just grab a hash value and look up the corresponding password in the list.

This is why "good passwords" are so incredibly important. Rainbow tables - as large as they might be - don't contain all possible passwords, just the more common. Solution: don't use a common password or a common style of password (such as combining two words).

Don't believe me? Here: search for cc3a0280e4fc1415930899896574e118. That's the hash of the password "password" using the MD5 hashing algorithm that I used at the beginning of this article.

Article C4376 - July 22, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Carl R. Goodwin
July 27, 2010 8:25 AM

It probably took longer to write the question than it would have to just reset the password!!!

pentester
July 27, 2010 3:52 PM

[" Had the passwords not been stored, but instead a hash used, then the hacker would have next to nothing."]

I beg the differ ... It is a one way street in so many ways yes, but so many it isn't. Depending on the power of you computer, the size of your rainbow tables, and the willing time, cracking 80% of a password database could be done within a few weeks. The 1st day would weed out approx. 50% due to the week dictionary passwords that a simple dictionary attack could crack.

Which is why random unique passwords are so critical. They won't be in the tables.
Leo
29-Jul-2010

James
August 2, 2010 9:14 AM

"They don't know your password, they didn't store your password, and they couldn't tell you if they wanted to."
I have been saying to anyone who'd listen, probably for 30 years, that this ought to be true. But to my consternation I've recently had proof that it isn't, because www.guardian.co.uk actually emailed my password to me.

Admittedly, this is a free registration site, and doesn't claim to be secure, but that's not much of an excuse.

So Hey, let's be careful out there!

Yeah, there are sites that do, and as I said in the article - if they can mail you your password, they're doing security wrong. (I had one emailed to me just yesterday from aother site. Sigh.)
Leo
03-Aug-2010
john
August 10, 2010 9:45 AM

That's really interesting and well explained. Thank you. But I'd be interested, and grateful, if you could take it a step further and explain what is going on with those sites (mostly banks, I find) that ask for (say) the 3rd, 5th and 10th character of your password, which cannot generate the same hash as the full password.

I've never seen that, however: it could be that they're storing your password (which would be bad), or perhaps when you set your password they save the 3rd, 5th and 10th characters only for later comparisons. That doesn't store your password, but it also doesn't compromise a sufficiently strong password either.
Leo
14-Aug-2010

Toy Trumpet
November 21, 2011 9:46 AM

There is a site called http://plaintextoffenders.com/ which names and shames this type of password insecurity.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.