Courtesy of the most recent AMV Hell, I’ve been amassing quite a list of anime I want to sit down and watch at some point. I used to keep them in a simple text file but, as I’ve been making an effort to catalogue my book collection in the cloud, I decided to use a tool that many of my friends use: MyAnimeList. So, I registered an account and it tells me to check my email for the activation link. Meh, no big deal. I open GMail, find the right one, open it and OH WHAT FRESH HELL IS THIS?!
This is WRONG. So so so so very wrong.
Now, if you’re not a “computer person”, you might not be able to see what is so wrong here. You’re probably thinking, “I don’t get it. It’s just your username and password. What’s the big deal?” Well, that is the big deal. Not so much the username part (that doesn’t really matter), but the password part.
MyAnimeList knows my password.
“Well, of course they know your password,” you’re saying, “How else would they be able to know if you’re giving them the right one when you’re logging in?”
Well, that’s the thing; they don’t need to. In fact, most websites don’t know anyone’s password. Google doesn’t. Microsoft doesn’t. Your bank surely doesn’t. And they don’t for a very good reason: because it’s a humongous security risk.
So how can they be able to both authenticate you and not know your password at the same time?
Let’s start by learning how passwords work. The simple idea behind a password is to restrict access to a resource so that only people who are allowed are able use it. Originally, these were for physical locations. It was, literally, a word that let you pass through the barrier to entry.
When computers came along, this idea of a password was simply recreated, except this time they were smart about it. In the 1970’s, Unix began implementing the concept of storing a hash of a password rather than the password itself.
“What’s a hash?”
A hash is the end result of feeding your password into a math machine that spits out something called a digest. No matter how long or complex the password, the digest will always be the same length. However the process can’t be reversed: you can’t give the machine a digest (hash) and have it spit out your password. Also, even the slightest change in the input of the math machine will give a completely different hash.
This very math image breaks it down pretty well.
“So you’ve thrown math at me. What does it mean?”
Well, think of it this way. If websites stored a hash of your password instead of your password…
“…then I could log in with my password and they wouldn’t need to know it because they have the hash!”
Exactly. And now you also know why websites that store passwords in plain text (not hashed) are so scary. Because, if you don’t use a different password for every site, anyone with access to the database where your password is stored can probably use that password to impersonate you on a number of different sites.
Yep. Now go change your passwords.
look me in the eyes and tell me that if the character you hold near and dear to your heart knocked on your window in the middle of the night and said “drop everything and come with me” you wouldn’t do it you know you fucking would
If The Doctor, Capt. Picard, or AKB0048 asked me to join them, I would.
If Kyubey did, I would kill it.
If the ponies asked me, I wouldn’t, because I know I would become a villain or introduce the avarice of man to their socialist paradise.
All the others, though, totes.