Hashes

To stop password database theft, most self-respecting websites don’t store passwords any more but instead store a “hash” of the password. A hash is the result of feeding some information, such as a password, into a clever bit of mathematics known as a “hash function”. If you change the input even just slightly, the resulting hash will be completely different. Another key feature of a hash function is that it can’t be reversed. So, calculating the hash of a password is easy, but, given the hash, you can’t easily calculate the password. If the hashes are stolen, the attacker doesn't get the passwords. And next time you log in, the website calculates the hash of the password you submit and compares it to the hash stored in the database. If it matches, you must have entered the correct password.

All good right? Not quite. In the deep, dark depths of the Internet exist vast lists of passwords created initially from standard word dictionaries . These are then extended using stolen password databases. These stolen passwords are then analysed to find patterns in the way people create passwords – such as “banana1972” – and these patterns can then be used to further grow the list of passwords – e.g by adding “banana1973”, “banana1975” etc. Hackers can then calculate the hash of all these millions of passwords – this may take some time, but eventually a hacker has a database of hashes that they can use to lookup a stolen hash and discover its original password. This is known as a “dictionary” attack. Another tip – don’t use passwords that are likely to have been used by someone else before as there's a good chance they'll be in one of these lists.

Salts