Why do websites like Facebook tell you to set up a new password, when you forget it, instead of telling you your old one?
We all forget passwords, especially nowadays when a password is required to have an upper case letter along with lower case letters and numbers, symbols are preferred as well.
So, you tried to login quite a times, but all that appeared on the screen was: Incorrect username or password.
In such cases you click on the life-saving, “Forgot Password” button. Doing so, you are taken to a page that uses various methods to verify that you are in fact, the owner of the account. But, even after you have proved your ownership, the website doesn’t tell you what your password is. It rather tells you to set a new password. Why? You obviously already have an issue with remembering passwords, and now they want you to remember a new one? Why can’t they make things easy by just telling you your old password?
The answer is: “Because even they don’t know your password.”
What? That is impossible! If they don’t know my password, how did they know that the password I entered (when trying to login) was incorrect?
Calm down. Let me explain. I am a web-developer too.
Let me make this really simple for you. We will take the example of Facebook here.
Step 1: You created an account
So you made an account, you gave your name, email, phone number and your password. Facebook saved your information in its database. But, there is something Facebook did there that was very strange. Facebook didn’t store the password you gave, into its database, it rather stored something else. If the password you chose was “willnevertellyou” then Facebook stored something like this:
What is that? That is what they call a hash. A “hash” is the encrypted form of some text. That hash means “willnevertellyou” but it is in a secret code language. “willnevertellyou” is the original text and that long hash is its encrypted form.
But why does Facebook do that? See, the advantage of a hash is that it is one-way encryption. What that means in English is that you can change “willnevertellyou” to that hash, but you can’t do the reverse. Take it this way, I give you this:
And I say, “find out what was the original text of that hash”. You can’t do that. You cannot convert the hash back to the password, but you can convert the password to the hash.
When Facebook stores hashes in its database, it has 1 benefit. If someone, somehow, hacks into the database of Facebook, and steals all the user information, the information will be useless to the hacker. Why? Because the hacker didn’t get your password, did he? He just got a long series of meaningless numbers and letters that he can’t use to log into your account (hashes). He has the hash, which can’t be converted back into the password. If he enters the hash into the Facebook login page, he won’t be able to login. You’re safe.
Step 2: You log in
But the question is, if Facebook doesn’t have my original password, how does it check whether the password I enter while logging in is correct or not? The answer is simple.
As I said, you cannot convert the hash back to the password, but you can convert the password to the hash. And every time you encrypt the same password, the hash you get will be the same.
Let’s say you tried to log in. You entered a wrong password: “abeautifulmind”. Facebook will encrypt the password you just entered and the hash will be this:
Facebook will compare it to the hash Facebook has in its database, which is:
They don’t match, which means the password you have just entered is not the one you entered when you signed up.
Facebook says: Incorrect username or password.
Not telling whether the password was wrong or the username was wrong, prevents hackers from identifying valid usernames, without knowing passwords.
So you put some pressure on your memory and then type “willnevertellyou” (correct password). Facebook encrypts it, the hash it gets is:
Facebook compares it to the one it has in its database, which is:
Perfect match! “Welcome to Facebook”.
So if you enter the right password, its hash will be the same as the one Facebook stored (when you signed up). Encrypt the same text again and again, you get the same hash again and again.
But then how do hackers hack accounts?
All security systems have flaws. The hash I used above, was a type of hash called a md5 hash. It is a very common one. But, people found out ways to decrypt md5 hashes (using methods like rainbow tables). Supercomputers can do that at the rate of hundreds of thousands per second.
But worry not, that was just an example. Facebook uses far more complex encryption algorithms. One of the good encryption algorithms is the Bicrypt. It takes a supercomputer two seconds to decrypt one bicrypt hash. A normal computer would take days. And to decrypt a whole database? Tough stuff.
Another way is to use “salt hashes” which make rainbow tables and other decryption methods ineffective.
So the next time you forget your Facebook password, don’t feel bad; Facebook doesn’t remember it either.
Written by: Muhammad Rohan Hussain