Open in app

Sign in

Write

Sign in

Paul Harker
5 min readJul 7, 2015

In a recently discovered and little-known symposium, Socrates takes his followers through data security in the internet age. Of course, Plato was taking notes, the little creep. His minutes are replicated here exactly.

Socrates: Young fellows, do settle. Please, I have a lot to impart today. I don’t have time to hang around listening to you lot blather about love and hermaphrodites all day.

Young fellow: You’re not going to do that thing you do where you ask us questions and expect the truth of things to sort of emerge, like a test-driven conversation, are you?

Socrates: What do you think I’m going to do?

Young fellow: *sigh*

Socrates: So, what do we know about passwords? What is a password? Why do we have them?

Young fellow 2: We use them to keep undesirables out of our data. Without passwords, the world would be in chaos. Credit-card information and sexts would flow like regurgitated wine in the Vomitorium.

Socrates: What have you been doing in the entrance or exit passage to my amphitheatre? And isn’t that the Romans?

Young Fellow 2: Which ones are we again?

Socrates: Anyway, you’re quite right. Passwords need to be stored on the server-side, obviously, because they need to be validated when someone tries to sign in to your service. What problem does this give developers?

Young Fellow 3: All sorts of problems. For one they need to send the password to the server over http, which isn’t all that secure. Secondly, they need to store someone’s password, someone’s life, in their hands. If some deviant with nothing better to do (or noble warrior intent on data equality and freedom of information, depending on your point of view) manages to disaquire a database of its data, well… there’d be hell to pay. Especially as 83% of people only use one password for most of their accounts.

Socrates: Aside from the dubious statistic, bang on.

Plato: I love you Socrates.

Socrates: Quiet, Plato. So how do you send something that you don’t want other people to read during the sending?

Cautious Fellow: A… code?

Socrates: Precisely, my cautious fellow. A code. In fact, a very special type of code called a hash. How secure should the hash be?

All: Very secure.

Socrates: How long should it take someone, a bad person with a good computer, to determine what the password is from this hash?

All: Many years

Plato [just after the others]: Many years, Socrates.

Socrates: No! Never. That’s the answer. There should be no physical possible way that anyone can determine what the password was from your hash.

Young Fellow 1: What do you mean? Doesn’t that mean the hash is just a meaningless string of characters, alphanumeric or otherwise?

Socrates: Not at all…

Clever young fellow: So… you mean… that the same password would produce the same hash… even though there is no earthly way to determine the password from the hash?

Socrates: Exactly, you clever young fellow.

All other fellows: Impossible! Witch craft! What nonsense! etc!

Socrates: Now calm down.

Plato: I’m calm, Socrates.

Socrates: We already know that this kind of thing is possible. Think of modulus… or, in English, which we seem to be speaking, remainders. Plato, what’s the remainder of 16 divided by 3?

Plato: Two, Socrates.

Socrates: Nice try, but it’s one. So we know that 16 divided by 3 gives us a remainder of 1. Clever fellow, if I gave you a remainder of 3, what two numbers had been divided together to leave that remainder?

Clever young fellow: Errr… I… it could be… 19 divided by 4.

Socrates: Good effort! But the truth is you don’t have a clue what two numbers might have been used to make that remainder. It could be an infinite combination of numbers. So that is an example of modulus logic, one of the techniques used in creating the hashes.

The amazing thing about hashes is that although there is no way to get back to the password, a password can still be verified against an existing hash, because a password will always return the same hash, regardless of how complicated it is. But this does lead to one problem; can anyone see it?

Another clever fellow: Well, I suppose it’s to do with that last fact. Passwords always return the same hash. So if you had access to a huge database, a million or more users, then you could search for a hash string that is present many times. The users of that hash probably have a very common password: ‘password’ or ‘qwerty12345’. So it wouldn’t cause too much difficulty to get access to at least a few of your users.

Socrates: Exactly! When your IT Admin is telling you to have a slightly rarer password, he or she is not just doing it so that people can’t ‘guess’ your password — although with brute forcing techniques, that is a risk. They’re doing it so that some hash doesn’t stick out from their database like a bald head to one of those birds that drop tortoises to break their shells.

Aeschylus: What?

Socrates: Nothing, don’t worry. But this ‘similar hash’ problem isn’t as big as you might think, for as usual, someone clever has figured out a solution. And they’re called Salts. Anyone care to guess what a Salt might do?

Fellow x-1: Is it something that somehow makes each hash unique?

Socrates: Well, I guess if you say something incredibly vague it does increase your chances of being half-right. So yes, that’s basically correct. A salt is stored alongside a user ID, and is just a string of random characters. The database always knows that this string of characters is associated with that user, so when it sets up the user’s hash, it adds this Salt to the beginning. This makes a totally unique hash (to a significant level of probability) and can still be verified with any entered password at log-in by adding the Salt and turning the resulting string to a hash. This will exactly match the hashed n’ salted password stored in the database. Voila! I mean, Eureka.

Fellow x: So, developers need to think about this whenever they create a sign up and password database?

Socrates: Well, they should always be aware of security issues, but because it’s so common and it’s on the internet, people have made it easier with platforms and plugins. I use BCrypt.

Fellows: Thanks Socrates. This is all useful information. Hope we don’t have to wait too long for the internet to be invented and all this to come in useful.

Socrates: Indeed.

[Socrates flies away on silk’d wings. He’s so manly.]

Security
Hashes
Tech
Paul Harker

Written by Paul Harker

51 Followers

I live to serve... would be a really good biog if I were a professional tennis player...

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams