…which are two separate topics for today.
I’ve been frustrated recently with my drift towards simple link-based posts drawing attention to a topic instead of presenting (and thus forcing myself to do more) original thinking.
I’m planning to sort that by writing on:
- topics I need to understand better
- things I find fascinating, and
- topics where I’m annoyed by my ignorance.
While I’m broadly planning to use it for that attempt to study more history that I’ve mentioned before, Daniel has also pointed out Reddit as a good place to look for all three.
Unfortunately, I got distracted by an article that gave me the last piece of the puzzle for understanding how encrypted passwords (and the hacking thereof) works. I’d share that with you, but it depends a lot on the idea of hashes, so let me tell you about hashes instead.
Hashes are* a way to check encrypted information (read: information in code) without decrypting it.
To get a hash, start by encrypting your message, then run it through a complicated maths equation – an algorithm – to get a number that was created from the original information, but can’t be used to work backwards to get the original information (at least, not without a lot of work).
For example, imagine your unhashed information is “3922 X 7290” (where that X is a multiplication sign, not part of the encrypted information), and your hash is the resolution of that sum: 28591380. From the unhashed information, it’s very easy to create the hash. But it’s really difficult to work it in the other direction – there are so many equations that could result in the number 28591380 that it would take a ridiculous number of hours to find the right one.
This is enormously valuable for ensuring people can keep information (like their bank password) secret while still communicating it over the open internet. If anyone tampers with your message, the resulting hash will be dramatically different, just like if you try changing one digit in the sum above – you’ll get an answer that’s obviously different.
However, this is also the reason why you need to avoid passwords like “password” or “123456” for any information you want to keep at all safe. There are only a few secure encryption systems around, and the systems themselves aren’t that hard to get hold of. This means an enterprising coder can run common passwords through an encryption system and find out what the hash for “password” looks like. Hey presto! If they can intercept the hash for the information, anyone using “password” has just given away their password**. This isn’t especially rare – it’s possible to buy hash tables online.
The moral of the story: take the extra three seconds to think of a proper password! Or use LastPass or a similar password management system. I’ve got an evaluation of LastPass on the way, but the short version is: do it.
*While I’m writing this in the definitive, I’m also learning as I write. Keep in mind that
a) it’s entirely likely I’ll get some details wrong. If you need to be definite, do your own research. 😉
b) in six months, this post will be useless as an indication of what I know about the topic.
** Wikipedia does a pretty good job of explaining this.