Dec 23, 2013

How are passwords stored on websites? The Basics

How are passwords stored on websites? The Basics Front imageEver wondered how are messages transferred through email clients. What does gmail actually mean when it says your mail is encrypted before sending to another person. Or what does adobe mean when it says, "Your document is encrypted, Enter Password to continue.."

Data encryption has long been in use since the advent of data storage and transmission. It has been in use for website certifications, Storing your passwords and usernames etc. You will have to first understand how you need to protect yourself from divulging or giving away your passwords before understanding how passwords are stored on websites. A recent case of Adobe password leak is sufficient to say that encryption is one of the most important things which websites must remember.

The following article dwelves into the basics of encryption, Further posts might include a more deeper understanding. Lets start with the what and how of data security and privacy. 

Before we proceed..

For newbies, You must know this to go further, Input goes through a function (process) and comes out as an output. This output is called hash code. Using this analogy, Hash Code is the output generated by a Hash Function. This function varies and can produce different outputs based on the content of the message. The output is of a fixed length always and hence the code is a highly effective form of storing and transferring data, used in huge number of applications. There are many different types of Hash function methods available. 

An interesting discussion on data encryption would be for pretty good privacy method. Let us understand this based on an example. Let us assume a small string of letters for our convenience. Lets start with "sheep". Now this is the message we need to encrypt and send to a friend. 

The Pretty Good Privacy Method (PGP)

The Three steps to Encryption

  1. First the string "Sheep" is used to create a key, Let us suppose the key created by string "sheep" is 22RX (pretty cool digits, huh!). This key will be used to encrypt the message (You Know, this key will determine which hashing function will be used).
  2. Now using thie key, the string is encrypted. Let us suppose the key led to the simplest of encryption, i.e. converting into a hexadecimal value. (We use decimal values on day to day basis, i.e. 0 to 9 (Base 10). Hexadecimal values  on the other-hand is present in base 16 and ranges from 0 to E. Converting any text to hexadecimal is fairly easy to do. The converted hexadecimal value for Sheep is "7368656570". Now this was converted based on the key "22RX". Now, second step is encryption of the key itself. The encrypted value of 22RX is "32325258".  
  3. Third stage is concatenation of both key and the message. So, the completed encrypted message would be 323252587368656570 (Assuming key comes first and not mashed into the message). A mashed message might however look like this, "372336252865658570", Which as you can see is much more difficult to decrypt.

The above flowchart would help you understand the encryption using PGP method without mashing.


The above flowchart would help you understand the encryption using PGP method without mashing.

One Step to Decryption

  1. The decryption process is similar too. The message "323252587368656570" is received, the encrypted key is separated, This key is then decrypted and the value obtained is "22RX" now this key is used to decrypt the original message left after removing the key, i.e. "7368656570", After encryption this would be "sheep". This is how your friend will receive the message and privacy will be maintained between the two. Symantec acquired PGP on June 7, 2010. 

The above flowchart would help you understand the decryption process using PGP method.

Simpler Method

with a plethora of Hashing algorithm available, it might be really difficult to determine which algorithm should be used. Hsould you use SHA1 or SHA233? To avoid such mess, you can use your own key to be used for encryption and decryption. Let us go with the "sheep" again. This time I use a key 31, Suppose the function this key uses first interchanges the odd and even digits from the right, i.e. from "sheep" to "sehpe".


Then it is converted into hexadecimal values i.e. "sehpe" becomes "7365687065". Remember, no key is added to the string. So the message's reciever is dependent on you for the key. You send the encrypted value "7365687065" to him and contact him for the key. When your friend gets the key, he/she can very well use it to decrypt the message to get "sheep".


This methodology proves to be better than the previous method discussed. This is because, If one gets your message encryped using 'pretty good encryption' or pgp, he/she can spend hours/days/months on cracking the code but eventually, the hacker will know the contents of the message. However consider the case when a hacker intercepts a message encrypted using second methodology, It might be centuries before he/she could break the code without knowing the key used between you and your friend.

Secure Hash Algorithm

Lastly, one method, which is quite popular nowadaysis the Secure Hash Algorithm (SHA), which is a simple yet highly effective way of storing passwords, used by websites in the present. A simple explanation would be that it takes a string of characters (including numbers alphabets and special characters) and converts them into a code of a fixed size

The size depends on the alorithm used. (There are several types of SHAs used, SHA0, SHA1 etc. Secure Hash Algorithm follows a very simple algorithm (in computer's perspective ofcourse), Which will be explained later. There are many different functions too, which can be used to encrypt strings using hash tables, Geometric hashing etc. which  of-course does not come into the purview of "The Basics"

This explained (in brief) about
How are passwords stored on websites? The Basics Mohitchar