I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
Not included in this answer and I’m not fully qualified to talk about: salting.
If you knew the hashing algorithm, you could precompute hashes of all the common passwords. Then when you get steal the hashed password data, it’s a lot faster to check if any of them are in your list. You can likely find that kind of list online to download.
One defense against this is “salting”. The site adds some text to your password before hashing it. So if your password is extremely common, like “password1!”, with the added salt the hash on this site will be different. Like maybe it adds the user’s uuid, so what gets hashed is “password1!-abcd-123-pretend-this-is-a-uuid”. The user doesn’t need to know.
Another benefit is that now two passwords that both are “password1!” have different hashes.
I’m not an expert by any means so please someone correct me if anything was wrong there.
Thanks for adding that. I mentioned salting in a parenthetical and then completely ignored it. This is a good addendum.