Newbie question about password hashing

[mxmaniac]

This may be an over simplified question, but I recently have read a lot about hashing of passwords and it made me wonder. Since passwords are hashed, do most websites or any admins in general have no way to know what your password is even on their own system?

For example, I always used to think, you sign up for yahoo mail, the almighty admin guys know your password. If one of those guys was a crook, he could easily think "hey, this guy probably uses that password for everything, lets try his bank account". But now that I hear about password hashing I wonder if that is true, or if it all happens so securely even the admins can't find it out?

And if so, what about local networks? Can the IT guys at most companies see most employees passwords, or are they securely incrypted/hashed in such a way that the IT guys can't even know?

 

[MustISO]

Any decent system would not reveal the password when it's stored. In a company environment, no one can see what the password is currently set to. They can change it but can't see it in plain text without "cracking" it with software.

 

[Mark R]

A decent system should hash (*) the passwords, so that only the hash is stored. This way, if the database is breached, the password itself cannot be recovered.

However, incompetently designed systems are common. Anything from a well known commercial company (e.g. MS, Apple, etc.) in general will use best practice. The problem comes with niche or specialist or custom software where developers may not be aware of best practice for security.

For example, medical software is a very niche market, so the developers often have to get a product to market at minimum cost while verifying the basic functions, so they don't put much effort into security. I've seen plain text passwords stored in databases so the admin could find them, and I've seen weakly (so weak that I could crack it with a pen and paper) encrypted login details cached on the local desktop system, so any user could read them

(*) - Although using a conventional hash (like MD5 or SHA1, etc.) is very common. This is not a good idea, because hashes are designed to be fast. As passwords don't need to be checked often, it's better to use a very complex algorithm (like PBKDF2 or a hash repeated 100 times).

 

[Mushkins]

Unless a sysadmin is shady, they dont *want* to know your password. If they know your password, accountability goes right out the window. They want to be able to look at the logs and go "John Smith was logged into that PC from 9am to 5pm." They absolutely don't want to be able to go "maybe John Smith was logged in, or maybe it was me because I have his credentials."

Having the finger pointed at you and having to prove it *wasnt* you who did XYZ on a corporate PC is not a fun game to play. We don't want to be potentially liable for a data breach, not knowing your users passwords is a pretty big "cover your ass" point when it comes to user accountability. Sysadmins dont need it, they can reset it or use their own admin credentials to get in.

That being said, no, the Yahoo mailserver admins aren't sitting there skimming through your private emails all day. They're too busy actually administering mailservers to snoop on strangers. However, there are definitely people with direct access to the mail database that *can* see your mail, and they're absolutely doing datamining on the whole of the mail database that you consented to via the ToS of the service. Selling that datamined info is how they profit by giving you a free service, just like gmail, facebook, twitter, and all the rest. Expect no privacy from someone elses servers.

 

[SecurityTheatre]

To be fair, most systems use weaker hashes such as MD5.

This hash type is vulnerable to all sorts of cracking attacks including full key-space rainbow tables, allowing the cracking of passwords of nearly arbitrary complexity.

Ideally, someone would use a good hashing algorithm like SHA3 or RipeMD along with a keystretching algorithm like bcrypt.

This makes cracking even simple passwords a rather strenuous task, but is still easy for a system to process forward authentication.

In this case, with a strong password, you can really believe that administrators cannot read your password.

Keep in mind, even in systems with strong password hashing, such as SHA3, provided they aren't salting or stretching, you can simply take that hash and apply it to certain other types of systems that use a similar algorithm.

Windows is subject to this. It uses a hash called NTLM and you can simply take the hash (without bothering to crack it) and log into another system using the raw hash. In this way, you can hop between systems that have the same password, without ever knowing the password. It's a glorious oversight for hackers.

Enjoy!