0

Do web based email providers like Gmail, hotmail encrypt user account passwords when saving them to their database? If they do, why does account information get leaked after a hack?

Mike Poole
  • 225
  • 1
  • 2
  • 9
mohits00691
  • 13
  • 2

1 Answers1

2

They are not encrypted, they are actually hashed: they are both cryptographic operation with the difference that hashes are irreversible.

One cannot simply "decrypt" a password hash. However, given a password, one can generate a hash for it.

If an attacker has obtained by some mean the content of the password hashes database, he can then think of a random password, compute its hash, compare this computed hash to check if it matches one the hashes stored in the database. If it does, then it means that the attacker has just guessed the right password for the corresponding user!

To make the process quicker, the attacker would use two main means:

  • Instead of thinking of a random password, he will use a very large list of the most frequently used passwords and dictionary words, which will usually already provide him a lot of accounts, but furthermore he will then automatically apply to these potential passwords a set of frequent transformations wrongly perceived as secure by a lot of users.
  • Some password cracking software allow to accelerate the hashing process by using the GPU (the graphic card processor) which happens to be quicker than the CPU for the cryptographic operations required to compute some hash (the effectiveness heavily depends on the exact hash algorithm used, modern recommended hash algorithm are specially thought to fight against this).

Such process will usually not allow to get all passwords from the leaked databases, but it will still allow to get a lot of them: all the weaker ones. So, if you use a strong password, and the website used a proper password hash method, then even in case of a database breach your password may still be safe

Community
  • 1
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • It's not so much that GPUs (and other, more specialized hardware) are fast at individual hashes - they usually aren't - but that they are extremely *parallel* and can compute hundreds or thousands of hashes at the same time. A modern "enthusiast"-grade GPU can compute billions of "secure" hashes per second. This is why password hashing algorithms try to not only be slow (via high iteration counts, or deliberately slow hashing code), but also RAM-expensive; fast RAM (such as used in video cards) is expensive, and RAM I/O is still a performance bottleneck even when using it. – CBHacking Nov 12 '19 at 22:23