🔐 Passwords: Not Stored, But Transformed
Early computer systems stored passwords directly, but that quickly became a security liability. Today, passwords are transformed into hashes—a one-way cryptographic representation. This means your actual password isn’t stored anywhere. Only the resulting hash is saved, and it cannot be reversed.
🧾 The Hashing Concept
A hashing algorithm takes an input (like your password) and returns a fixed-length string, the hash. These are often used for file integrity checks as well as credential storage.
Example:
md5("monkey123") = 3fdba35f8b3755bd5b8cb90f7776d929
The key idea: even a small change in input results in a drastically different output. But two people using the same password would still produce the same hash.
📂 From /etc/passwd to /etc/shadow
In early Unix-like systems, hashes were stored in /etc/passwd, visible to all users. This led to users discovering who had matching passwords. Later, hashes were moved to /etc/shadow, readable only by root, improving confidentiality but not stopping offline attacks.
🧂 Enter the Salt
A salt is a random value added to the password before hashing. This doesn’t make the hash unrecoverable—it’s not meant to—but it ensures every user has a unique hash, even if they use the same password.
Hashing without salt:
md5("monkey123") = 3fdba35f...Hashing with salt
48596837:md5("48596837monkey123") = e8f94af3...
🔄 Why Salts Matter
Without salts, attackers can use rainbow tables—precomputed lists of common password hashes. With salts, they’d have to regenerate the entire table for every possible salt, making mass cracking infeasible.
🔍 How Hash Cracking Works
Even though hashes are one-way, attackers use brute-force or dictionary attacks:
- Try many password guesses
- Hash each guess
- Compare to the stored hash
This is where tools like John the Ripper or Hashcat come into play. These tools can:
- Detect common hash formats (MD5, NTLM, SHA1, bcrypt, etc.)
- Import hashed password files
- Use custom dictionary files or brute-force rules
💻 Example: John the Ripper Usage
john --wordlist=mylist.txt --format=raw-md5 hashes.txt
📁 Hash File Formats
Many password files include the salt and hash in one line. For example:
$1$48596837$e8f94af3...
$1$indicates MD5 crypt48596837is the salte8f94af3...is the hash
🛡️ Security Takeaways
- Never store passwords in plaintext
- Always hash with a strong algorithm and a salt
- Limit access to stored hashes
- Slow hashing algorithms (like bcrypt, scrypt, or Argon2) dramatically increase cracking time
🔍 Privacy vs Anonymity
Anonymity means someone knows what you’re doing, but not who you are.
Privacy means someone knows who you are, but not what you’re doing.
Password protection is more about privacy—you want to control who sees your credentials and how they’re verified. But layered defenses (like encryption + hashing + salting + access control) bring you closer to both.
🔧 Next Up: Verifying File Integrity Using Hashes
We’ll build on this concept by showing how hashes are used outside of login systems, like verifying software downloads or detecting tampering.
🎓 Tools Mentioned:
johnhashcat/etc/shadowopenssl passwd -1
