Musings/Träumereien/Devaneios

“Thinking like a hacker means studying the tooling that hackers use, attending hacker conferences such as DEFCON [and C-Days 2017 in Portugal], and practicing hacking and exploitation in a lab environment.”

In “Think like a Hacker: A Sysadmin’s Guide to Cybersecurity” by Michael J. Melone

What happens in real life passwords-wise? (I know what I’m talking about; back in the day I was in the trenches doing this for a living…)

The passwords are usually stored in a database with the username, when you enter your username and password one is checked vs another. Obviously if the database was stored "in the clear" anyone who stole it or looked at it would know your password. This can't work for anywhere where the user accounts must be secure - even from employees, which is basically everywhere. So, what is done is that the password is "hashed" which means that it is encoded using a one-way conversion formula. If I have the formula and the password I can reproduce the hash result, that's a match! I can open your account! That's what a website does when you enter the right password. But if you just have the hash then if you give that to the website it will apply the formula and create a different the result and the system will say "no dice". So having the hashes is no use to a hacker.

If you're into Cumputer Science and hacking in particular, read on.