All modern secure computer systems store users' passwords in an encrypted format. Whenever a user logs in, the password entered is encrypted initially, then compared to the stored encryption of the password associated with the user's login name. A match succeeds and a mismatch fails -- it's that simple!
"Too simple to be very secure, you ask?" It depends. Password encryption is usually a one-way process. This process uses a hashing algorithm, which always produces the same result for a given password, but a very different one if even one character is mis-typed. For example, the MD5 hashing algorithm produces the following encrypted results for the (weak!) passwords "abc4" and "abc5":
Password: abc4
Encryption: e47e4f3a015b2bf63c3411fd87ab3579
Password: abc5
Encryption: ab0b044fabbb28cc6de6c7398ce691e2
Even changing to uppercase produces a very different result (which may clarify why the Caps Lock key is so unforgiving!):
Password: ABC4
Encryption: ac3053745f6e1c8299a62d8732793fe6
Because hashing algorithms are one-way processes, the hashed result can never be used to recover the password. This fact would suggest that your password would not be exposed even if the entire password database from your workplace, for example, was posted on the Internet for all to see. That is the theory ...
If you are comfortable with the assumption that all systems work this way, be afraid -- be very afraid. For many reasons, this is a dangerous assumption! The theory that your password is well-protected may not hold for any of the following reasons:
It's important to understand that all strong encryption methods are based on theories. Mathematicians and Computer Scientists have good reasons to believe these theories are solid, but by their very nature, the underlying assumptions cannot be proven. (It is a paradox that a proof may actually result in the complete breakdown of all encryption methods. Google "P=NP" if you are curious.) It really comes done to statistics and computing time. We can say that a strong cipher probably cannot be broken in any reasonable amount of time.
Passwords do have a finite length. This means that a brute-force attack will always succeed, given enough computing time. The password policy should always be to use strong passwords, as it takes unreasonable computing times to crack them.
Common words or names are often used, making dictionary attacks
relatively likely to reproduce the original password.
Due to the many inherent weaknesses of using passwords alone, many systems which store sensitive information use 2-factor authentication schemes. But passwords are unlikely to become extinct anytime soon. It is important understand some of the risks and remain vigilant!
Knowledge is power. The Bitmill Inc. encourages links to our site. To link to this page, please cut and paste the following HTML code into your web page source file.
<a href="http://www.thebitmill.com/articles/password_storage.html">System Password Storage</a>
Your link will look like this:
System Password Storage
Thank you for your interest and support.