As the title says, it would be convenient to use the password I picked out before, so why don't they just tell me what it is instead of me having to make a new one after I clicked the FORGOT PASSWORD button?
Why can't a website just tell you your password instead of resetting it?
- Thread starter atikovi
- Start date
Because it's usually encrypted with a one-way hash. That means it cannot be decrypted.
Yep, because they don't know it. Once it is hashed, for all intents and purposes it cannot be retrieved. This is a good thing, much more secure.
What do you mean they don't know it?
1) It says you can't use your last 6 passwords so they most know at least the last 6 you used.
2) Whenever you enter your password to log on, how do they let you on if they don't know it's the right one or what it is?
Because they know the HASH of the last 6 passwords. They don't know the password itself.
Same with logging on, they know the HASH, but not the actual password.
Tom Scott's video explains it much better than I can.
1)It stores the hashes of the last 6 passwords you used.
2)You enter your password, and "abc123" is transformed into "5F6H67Unfd3gjii6de43bn" by a hash function. It's one way, so it's impossible to turn "5F6H67Unfd3gjii6de43bn" back into "abc123".
EDIT: This is just an example. There's no hash function that will actually turn "abc123" into "5F6H67Unfd3gjii6de43bn". It will turn it into some other collection of numbers and letters.
OK I'll have to look into that hash thing.
Mhmm, hash. From French 'hacher' = to mince.
Not to be confused with hashish. From Arabic for 'dried herbage'
According to Marco Polo, Persian assassins were hopped up on hashish.
Not to be confused with hashish. From Arabic for 'dried herbage'
According to Marco Polo, Persian assassins were hopped up on hashish.
For instance, if you compute the sha1sum of "BITOG" like this "echo "BITOG"|sha1sum" you'll get the digest: "adc3d9cbf90b14305d8b9fb54f0c872161202f4e". One of the cool things about the algorithms used to compute digests is call the "avalanche effect". If you change the string slightly, "BITOG" to "bitog" you will get a completely different digest: "42756dfa5fa033aec04d68604906e15f0caf753c".
If I compute the digest of a space " " you get "dd122581c8cd44d0227f9c305581ffcb4b6f1b46" two spaces is: "9aa23bb69d6a07ff8bac5ee2f86f600939ed47b7".
If I didn't tell you that the hash "adc3d9cbf90b14305d8b9fb54f0c872161202f4e" is of the string "BITOG", then you couldn't figure it out, even with a super computer. It's super easy to compute the hash of a string, but impossible to reverse the operation. It's called the discrete logarithm problem. That's why passwords in modern systems are always stored as a hash and never the password you type. BITOG is the same way. We don't store or know your password, we just know the hash (digest) of the password.
You can download the digests of over 865,278,700 stolen passwords from haveibeenpwned. You can't figure out the password, but if you write a simple shell script, you can check to see if any of your passwords have been stolen.
[edit] I will also add that just because you can't reverse a digest to figure out a password string, doesn't mean that your password can be discovered. The recommendation is to use a password manager and create long random passwords and change them regularly. Why, because of rainbow tables. Be afraid, very afraid if you use short or even medium length easy to remember passwords.
If I compute the digest of a space " " you get "dd122581c8cd44d0227f9c305581ffcb4b6f1b46" two spaces is: "9aa23bb69d6a07ff8bac5ee2f86f600939ed47b7".
If I didn't tell you that the hash "adc3d9cbf90b14305d8b9fb54f0c872161202f4e" is of the string "BITOG", then you couldn't figure it out, even with a super computer. It's super easy to compute the hash of a string, but impossible to reverse the operation. It's called the discrete logarithm problem. That's why passwords in modern systems are always stored as a hash and never the password you type. BITOG is the same way. We don't store or know your password, we just know the hash (digest) of the password.
You can download the digests of over 865,278,700 stolen passwords from haveibeenpwned. You can't figure out the password, but if you write a simple shell script, you can check to see if any of your passwords have been stolen.
[edit] I will also add that just because you can't reverse a digest to figure out a password string, doesn't mean that your password can be discovered. The recommendation is to use a password manager and create long random passwords and change them regularly. Why, because of rainbow tables. Be afraid, very afraid if you use short or even medium length easy to remember passwords.
Last edited:
I am security engineer for a large corporation. I have the highest level of access to the system Yet I cannot see a single password. Password are hashed and encrypted using AES256.
Corned beef hash. All the good secrets are in there.
Follow up question. You say they don't know? Well, when I went to log into a site, it said something like, We periodically require users to change their password, please change it now to enter site. So I entered a variation of my previous password by adding # at the end, but it came back saying, You cannot use any of your last six passwords, so I must have used that previously. So they apparent DO know my passwords if they are telling me not to use that one again, no?
They know the hash, but not the actual password.
Did you watch the video, it explains exactly what you are asking.
Think of it this way, your password ( Fr0gsJumpH! ) is a math problem, and the hash is the answer (lets say 12345).
So you have Fr9gsJumpH1 * AES encryption formula = 12345
The website has no idea what the password value or the encryption formula, but knows that the answer it received (12345) is what it is looking for, so lets you in.
It cannot figure out you password since all it knows is the answer, not the formula values ( x * y =12345)
Your password answer is much longer than 12345 in the real world tough
Did you watch the video, it explains exactly what you are asking.
Think of it this way, your password ( Fr0gsJumpH! ) is a math problem, and the hash is the answer (lets say 12345).
So you have Fr9gsJumpH1 * AES encryption formula = 12345
The website has no idea what the password value or the encryption formula, but knows that the answer it received (12345) is what it is looking for, so lets you in.
It cannot figure out you password since all it knows is the answer, not the formula values ( x * y =12345)
Your password answer is much longer than 12345 in the real world tough
Last edited:
OK, I don't understand what hash means then. Isn't the hash different for each password?
ok
Did you ever do that? If not, this may help:
Let Me Google That
For all those people that find it more convenient to bother you with their question than to google it for themselves.
Similar threads
