You might have found out that there is a website
that checks if your online accounts have been
compromised by hackers.
So you enter in your email address and OH
You have been pwned!
Hackers now know the passwords that you used
on all these services…
But do they really know your password?
Well as it turns out: that might not be the
To understand why, let’s take a look at
what options companies have to protect your
password and safely store it so that even
when hackers get access to their systems,
your password stays safe.
There are 3 ways a company can store your
password: they store it in plain text, use
encryption on it or use what’s called a
Let’s quickly go over each one of these
and let’s start with the most basic one:
This is obviously the most dangerous way of
If hackers breach a company’s database,
they get to see all the passwords of the users.
And since a lot of people have the bad habit
of using the same password for multiple accounts,
it’s likely that 1 compromised password
could lead to more compromised accounts.
You might think that companies aren’t silly
and that none of them stores our passwords
in plain text.
However you would be very wrong in thinking
Past breaches have showed us that even top
companies and services with millions of users
weren’t adequately protecting user passwords.
One possible alternative to plain text storage
Take the passwords of the users and – before
your store them – encrypt them with an encryption
This would prevent hackers from obtaining
the real passwords of users but it’s still
Underneath the encryption layer is still a
plain text password and so if the attacker
manages to steal the encryption key as well,
he can unlock all passwords.
Encryption is designed to work in two ways:
you can encrypt a user’s passwords to keep
it safe but you can also decrypt it to reveal
the password again.
This is very practical when you want to share
data in a secure way, but nog great if you
want to prevent attackers from breaching your
And that brings us to the third technique
of storing passwords and that is by using
a hash function.
How does that work?
Well hash functions take an input, that could
be a piece of text like your password or it
could be a file and turns that into a string
of text that always has the same length.
There are many different hash functions available
but here is what the SHA3 hash of “Hello
World!” looks like:
Hash functions are very different from encryption
because they only work in 1-way.
You can calculate the hash of a password but
you cannot take a hash and turn it back into
the original data.
And that’s an interesting property to have.
By using hashes, companies can verify that
you’re logging in with the correct password,
without having to store your actual password.
You can compare hashes to fingerprints.
You can take the fingerprint of any person
BUT if you find a fingerprint somewhere you
can’t identify the person it belongs to,
unless you’ve seen that print before!
However they aren’t perfect either.
Most hashing algorithms are optimized for
speed, the more hashes per second they can
calculate, the better.
And that makes them vulnerable against brute-force
By simply trying to calculate every possible
password, an attacker can reverse the hash
A modern GPU can do this with a speed of 292
million hashes per second (292.2 MH/s) so
it’s only a matter of time before a hashed
password is cracked using this technique.
And if that’s not fast enough, attackers
can also use Rainbow tables to further accelerate
These are lists of precomputed hashes that
can be used to quickly find weak and commonly
The speed of hashing functions are a positive
thing in certain area’s.
However when it comes to storing passwords
you don’t want this property.
The second problem happens when users share
the same password.
If both Alice and Bob have the password “qwerty”,
the hashes of their passwords will be identical.
So when a hacker cracks of these passwords,
he also knows the others.
Now you might think: that’s not a big deal
because it’s very unlikely that different
people will use the same password.
Well think again.
The password “qwerty” has been found more
then 3 million times in data breachers.
To make matters even worse: here’s the top
10 most used password in 2017…
Not the strongest of passwords…
To defend against these attacks we can add
what’s called a salt to the password before
we hash it.
The salt is just some random data but it ensures
that the hash of your password will always
be unique, even if others are using the same
So if Bob and Alice both use the password
“qwerty” their hashes will be completely
So if an attacker cracks Bob’s password,
he can’t link that password to Alice and
he has to start his cracking attempt again.
This technique prevents attackers from cracking
a bunch of passwords in 1 go.
It makes a brute force attack slower, but
still very much possible.
So to solve this, we have to take a look at
the third technique, which is using special
hash functions that are deliberately being
Example of these are bcrypt, scrypt or argon2
and they completely neutralise brute force
These algorithms take a password as input
along with a salt and a cost.
This last one is very interesting: the cost
defines the number of rounds the algorithm
goes through and this effectively slows it
Over time our computers become faster and
so brute force attacks against these algorithms
That’s because they can simply try more
combinations in shorter timespan.
All we have to do to counter this is increase
the cost parameter so the algorithm remains
resistant against these attacks.
So that are the 3 options that a company has
to store and protect your passwords.
But why settle for just one method if we can
You can’t be greedy enough when it comes
This multi-layer protection is used by Dropbox
They take your password and start by running
it through a simple hash function, no salt.
This is their first line of defense.
They then take the hash and run it through
the bcrypt algorithm with a salt and a cost
This prevents brute-force attacks.
And finally the resulting hash is encrypted
with the Advanced Encryption Standard or AES.
The encryption key for this is not stored
in their databases but is instead kept separately.
So if an attackers breach the Dropbox database
they will have to peel away each protective
layer around your password and that will take
a lot of time.
In fact, the cracking attempt would like be
more costly then what they’d in return for
comprising your account.
So time for a conclusion then: if you’re
account has been compromised, its best to
change your password immediately.
However depending on the security measures
of the company that was compromised, it might
be possible that hackers haven’t been able
to retrieve your password.
That’s thanks to the magic of hash function
and cryptography in general.
So now you know how companies can safely store
That was it for this video.
If you learned something from it: hit the
thumbs up button and consider getting subscribed.
And as always: thank you very much for watching!