Passwords and Hacking: The Jargon of Cybercrime Explained

From Yahoo, MySpace and TalkTalk to Ashley Madison and Adult Friend Finder, personal information has been stolen by hackers from around the world.

But with each hack there?EU?s the big question of how well the site protected its users?EU? data. Was it open and freely available, or was it hashed, secured and practically unbreakable?

From cleartext to hashed, salted, peppered and bcrypted, here?EU?s what the impenetrable jargon of password security really means.

The Terminology

Plain Text

When something is described being stored as ?EU?cleartext?EU? or as ?EU?plain text?EU? it means that thing is in the open as simple text -- with no security beyond a simple access control to the database which contains it.

If you have access to the database containing the passwords you can read them just as you can read the text on this page.

Hashing

When a password has been ?EU?hashed?EU? it means it has been turned into a scrambled representation of itself. A user?EU?s password is taken and -- using a key known to the site -- the hash value is derived from the combination of both the password and the key, using a set algorithm.

To verify a user?EU?s password is correct it is hashed and the value compared with that stored on record each time they login.

You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches, a so-called brute-force attack, or similar methods.

Salting

Passwords are often described as ?EU?hashed and salted?EU?. Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this ?EU?salt?EU? is placed in front of each password.

The salt value needs to be stored by the site, which means sometimes sites use the...

Comments are closed.