When selecting a password, a reputable site typically doesn’t save it in a directly readable format. Instead, it undergoes a sophisticated mathematical transformation known as ‘hashing’.
This process converts the plaintext password into an unreadable string referred to as a password hash, which the website securely retains. The remarkable aspect of hashing is its resistance to reverse engineering; reconstructing the original password from the hash is incredibly challenging. Upon returning to the site and entering your password, the system recalculates the hash and checks it against the stored version. If they are identical, access is granted.
If a malicious actor somehow obtains a database of password hashes, they may employ various attack methods to recover the passwords. One common method is a ‘dictionary attack’, where they systematically input lists of known words and variations—like substituting ‘1’ for ‘i’—to see if any produce a matching hash. If a match is found, the original password is revealed.
While this might seem labor-intensive, modern computing power allows such processes to be executed in mere seconds. If a dictionary attack fails, the hacker might resort to a ‘brute force’ method, attempting every possible combination of characters until the password is discovered. Utilizing long, random passwords and including special characters significantly increases the complexity and difficulty of this task for any computer.
Note: Article has been taken from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
