Password-based Authentication

By David Puzder

Virtually every online account requires a password. Many account providers require additional authentication steps, like the Duo push alert, to increase security. As for password-based authentication, the principle is relatively straightforward: the user provides an account name or identifier (ID) plus a password, and the system compares the given password to the stored password.

At face value, this principle has obvious pros and cons. Namely, only the rightful user should know the password, so only the rightful user should be able to enter it. However, since passwords are “something known,” they can be leaked, and security breaches happen often, like the recently rumored TikTok breach. If a system were to simply store unencrypted passwords in their database, then a data breach could be catastrophic. Imagine if your bank account password was readable by anyone who accessed the bank’s user database. To mitigate risk, a security technique called salting and hashing helps protect the confidentiality of a user’s password from anyone. Briefly, here is how the technique works.

Salting and Hashing

A user submits a password at the login screen. Within the system, a pseudo-random number (salt) is appended to the password for greater complexity. Next, the “salted password” goes through a hash function. The process looks like this.

hashFunction(Password + Salt) = unique gibberish

The unique gibberish is extremely useful! Given the same input, the hash function will produce the same unique gibberish every time. It is virtually impossible to reverse this operation, so one cannot take the unique gibberish and produce the correct password. This unique gibberish is often called the “hashed password.” A system will store the “hashed password” in its database beside the respective user ID and salt value.

Any time the user enters their password at the login screen, the system will compute the “hashed password” again and compare it to the one in the database. If they match, then the user gains access. The best part about this technique is that nobody’s unencrypted passwords are accessible – not even to the database engineers! If a hacker somehow accesses the database with user information, it will be extremely difficult to determine anyone’s password.

Salting and hashing do not absolutely conceal one’s password. This article will not cover how hackers guess passwords against this technique (read  What is a dictionary attack? How to prevent it | NordVPN ), but it will teach you how to further protect against their efforts.

Further Harden Your Account

When choosing a password, it is essential to make it available to you when you need it (i.e., memorized or stored somewhere only accessible to you, like a password vault), but hard to guess. Password managers provide convenient features without compromising security to make this job more manageable. Below are three features to look for when choosing a password manager service. You may also do these yourself!

Regardless of your choice in password management, it is always prudent to enable multi-factor authentication. Enabling push-based notifications in Duo is even more secure than using text or email options.