How password authentication works

Password on screen

Ever wondered why most systems can’t tell you what password you used when you signed up? Or wondered if your password was being stored insecurely by a service you were using? How can you even tell if it’s stored securely, and what does that mean?

Let’s look at what authentication is, the two basic ways password authentication works, then how to tell if you’re using the right one.

What is online authentication?

At a high level, authentication is proving you are who you say you are and are allowed to access whatever you’re trying to access.

At an ATM, the authentication is your PIN. You enter in those four digits to prove that you are really you and should be able to access the money in your bank account. On a smart phone, you may be using your face or fingerprint to prove that you’re really you and that you’re allowed to access your own phone.

For decades now, the most common way to prove you’re allowed to access an online service is password authentication.

Passwords in clear text

You have likely heard of password-related security leaks. Maybe you even received an email from a service you use letting you know all their user passwords were leaked, and advising you to change your password immediately.

In those cases, the affected services were storing their passwords in clear text. That’s an insecure method for storing passwords, since someone who gets access to such a user database can see what passwords were actually entered.

Many of that service’s users may even use the same password on other services as well. So someone with access to those passwords may be able to unlock multiple services associated with a user.

How should companies store passwords?

The secure method to store passwords has some sort of encryption, often using things called hashes and even salted passwords. So what does that all mean?

Think about a shifted alphabet cipher. If you shifted every letter in the alphabet by one letter, the word “abc” would become “bcd.” Of course, that type of encryption is very basic, so the encryption that services actually use is much more complex.

When you set or reset your password, the service first encrypts your password, then stores it in the database. Then each time you attempt to log in, it encrypts the password you enter in, and compares it to the encrypted password in the database. If the two encrypted passwords match, you’ve successfully proved that you’re really you.

The encryption is complex enough that it’s a one-way transformation. So nobody is able to take the stored, encrypted password and actually know what you originally typed in.

If a user database with encrypted passwords is leaked or hacked, nobody can use those passwords to login to any of your accounts anywhere, not even the service they actually got the user database from!

Don’t use insecure services

The take-away is that you shouldn’t use services that store your password in clear text. How can you tell? If you go to log in to a service, click the “Forgot my password” or similarly named link. If it offers to email you your password, it’s definitely storing in clear text.