How are keys and passwords stored in a computer to make them secure?
If encryption is used to secure keys and passwords - won't there need to be a key or password for it also? Will that one be encrypted as well? It seems to me that eventually there will have to be a key or password that is not secure to get the whole process going.
Jump to PostTypically modern systems will use a cryptographically secure one-way hash to store credentials. Provided the password is strong, coupled with judicious salting, it can be quite difficult to break given only the hash result. Not impossible, mind you, but much more secure than using straight up encryption.
Typically modern systems will use a cryptographically secure one-way hash to store credentials. Provided the password is strong, coupled with judicious salting, it can be quite difficult to break given only the hash result. Not impossible, mind you, but much more secure than using straight up encryption.
This video is also a great explanation of this issue, mainly in the form of a how not to do it and why, followed by the proper solution used today, which is hashing + salting.
The basic idea is really that you don't need to store a password in plain text, or be able to retrieve its plain text representation, because all you need is to be able to validate the password given (when logging in). So, you store the password in some "encrypted" way (actually, with a salted hash) and you just compare it (to validate it) using that encrypted form.
For instance, this is the reason why when you've lost your password (can't remember it), you cannot get that password back, all you can do is get a new password generated for you or some temporary link to reset the password. There are still places that store passwords in plain text (or in a way that the plain text passwords can be retrieved), but they shouldn't do it, and if you realize that any important site or service uses that method, you should avoid having an account with them, unless that account is "harmless" (e.g., like a mailing-list subscription, or something like that, which doesn't store any sensitive information). And obviously, if you have to be subscribed to a service that stores plain text user passwords, then make sure you don't use the same password(s) as for your more sensitive accounts (email, paypal, computer login, etc..).
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.