Smaz Explains Stuff™ episode 1: Hashing and Computer Passwords and Salt

Hey guys! Lately I feel like I haven't talked to you guys about stuff. Like, interesting inter-personal stuff and over-analysing group politics yes, that's definitely been a subject of discussion (and I gotta say, I kinda love it!) But like, cool instances of science and interesting nature things and stuff like that, not really. Also sometimes I find really interesting and/or clever things where I'm like 'this is actually really cool, I wanna tell people about it!'
And I feel like I should be writing more things because writing is both an area that I'm becoming really interested in these days, and a skill that I need to improve... seeing as this blog is pretty slow atm I decided to do that here.
So I am starting a new internet-text-and-also-sometimes-photo-blog-post series on this internet-text-and-sometimes-photo-blog, called "Smaz Explains Stuff™". Without further ado, let's venture together into this exciting and interesting world of things being explained!


EPISODE 1: HASHING AND COMPUTER PASSWORDS AND SALT
Have you ever wondered how come computers can have passwords that are somehow stored on the computer, and why any old hacker can't just get your passwords by looking up wherever they are stored? This was always something I wondered about computer passwords. Like, just how secure can they be? The passwords have to be on the computer somewhere, right? So what's the point of even having a password if you can just go look it up?

The answer? Actually, it's really really secure, even at a basic level of protection. This is because of a process called hashing. (Hashing is related to hashtags, but that's kind of different) Essentially, hashing is a method of creating a unique number or string (letters and numbers in sequence) based off of any possible input. The most important part of hashing is the idea that if you give it the same input, you will always get the same output. Any change at all to the input, no matter how small, will result in a different output.

What's this got to do with computer passwords? Well, so much you have no idea. It's pretty simple actually, if the hash will always be the same for your password, all you have to save is the hash, which in no way indicates the password - hashing algorithms are designed to be non-reversible. When you enter a password into the computer, the first thing the computer does is hash it. It checks that the hash is the same as the stored one, and if it is, hooray! You win.
For example, say my computer password was 'password'. If I run that through a hashing algorithm, I might get something like 'a3E' as the hash of that. Then say a hacker comes in and manages to find the list of passwords on my computer... they now have 'a3E'. This tells them nothing about what the password is, only that running it through an algorithm produces 'a3E'.

Pretty cool right? (The answer is yes, it is in fact a pretty cool thing. Not super cool but quite cool) But wait, there's more! Hashing is intentionally not a standardised thing, so every hashing algorithm will produce different results. But what if the hacker finds the algorithm? Theoretically it's possible for them to reproduce the algorithm, then continue inputting random strings until they find the one that produces the correct hash. This is called a dictionary attack.
One method to combat this involves a 'salt', which is an extra randomly generated word that is stored with each user. Each user gets a unique randomly gen'd salt. You also store the salt with the user, not just the hash of the password. (You encrypt the salt somehow.) When you enter your password, the computer adds the salt to the end of it, then hashes that.
For example, my password is 'password'. But also, say the salt is 'stuff'. When you produce the password, the computer hashes 'passwordstuff' and saves that.
This is clever because even if the hacker can find out what the right string is - in this case, 'passwordstuff' - they have no idea where the password stops and the salt starts. The password could be 'passwor' and the salt could be 'dstuff', which combined still produce 'passwordstuff'; but entering 'passwor' into the computer wouldn't work, because then the computer checks against 'passworstuff'.

As a side note, hashes are usually much smaller than the inputs, which is a nifty way of checking if any file is exactly what it should be. When you download a large file, for example, your computer downloads what the file's hash should be, then when the download is finished, hashes the file to check that the file is the correct one. This is a way of checking if the file is not fully downloaded or has been tampered with.

EPISODE 1 END.

 SO there you go, you have been explained some interesting fact of computer science. I thought I'd start with that because at least one of my 3 majors (!) next year is going to be computer science. How was it for you? Please let me know what you think, if it was understandable, if you found it interesting. Thank you and goodbye