Page 20 - 11Cyber
P. 20
(Continued from page 19) isn't stored verbatim on the website's server. That's
because your password could be published and made
how passwords are stored by a corporation (or web- freely available (Pawned (1) if the server's security
site) and how one could go about getting a pass- were compromised. We call that a 'data breach.'
word (and in particular, YOUR password) from that
collection of thousands. Instead, your password is put through a process
called "hashing," which significantly improves security
For example, how can it be Cracked? Or Hacked? (provided your password is strong enough). In addi-
Or UnEncrypted? tion, the database record to access YOUR account
The Banker will now have:
But let's go back to basics in time a little bit. To the 1. Your USER ID = this could be your email address
good old days when taking your money to the bank or other name you use as the first entry in your
was a face-to-face activity. You walked up to the login 2. Your HASHED Password = you must en-
teller (remember when they had live people doing ter a password to verify that they match
that?) and handed them your bank passbook. 2. 3. Your name or other info, which may be encrypt-
You gave them your money. ed, or plain text
They opened up a big ledger book, turned a few 3. 4. Your account number or other internal ID of
pages, and wrote your deposit into your account. your account
How did they know what account to credit the mon- 4. 5. Other data about your account, such as an-
ey into? Answer: They looked at your account num- swers to your security questions, preference set-
ber in the passbook with your name on it. How did tings you have made, or any of the other many
they know it was really your account? Simple. You things about you that set up your use of that
have a face, which they recognized (you both were online space.
members of the same Grange Hall, or perhaps they The Hash
had voted for you as Mayor or shopped in your gen-
eral store). Plus, you had 'the passbook.' More than 50 Hash functions are MD5, SHA-1, SHA-
2, SHA-256, NTLM, and LANMAN. (6)
Your USER ID = Account # written in the passbook
(physical possession) "Hashes are the output of a
hashing algorithm like MD5
Your Password (only you have it) = your face (a Bio- (Message Digest 5) or SHA
metric Password-aka Facial Recognition) (Secure Hash Algorithm). These
The Original Two Factor Authentication (2FA)! algorithms essentially aim to
produce a unique, fixed-length
The Data string – the hash value, or
Fast forward to today, and no one is "message digest" – for any given piece of data or
storing your information in plain 'message.'"
writing in a big ledger book. Instead, Using a complex algorithm, hacking turns your pass-
your valuable information, pictures, word (or any other piece of data) into a short string of
account balance, or credit card letters and numbers. (3) It is a short 'indicator' of the
number are all stored as ones and original text. [Note that they are not compression
zeros on a computer somewhere. functions such as ZIP files that errorlessly retain all
Typically, most of this information is the original content. I will discuss this in detail in Part
organized in huge databases or files. Some parts of 2.]
it can be in plain language because it is simple in-
formation. However, the parts that give it security If a website or corporation is hacked, the hackers
from theft should be protected somehow. don't get your password. Instead, they just get access
to the database with the encrypted "hash" created by
That is what happens with your password. When (Continued on page 21)
you create a password on a website, that password
Cyber Awareness Bulletin 20 October 2021
