Embedded Files
Attackers do not guess passwords online by typing guesses into the login site. They steal password files from servers and use them to try to guess passwords. What is in those server files?
How are passwords stored on servers? Servers store each username and one-way hash of the corresponding password
For example: johnsmith, e10adc3949ba59abbe56e057f20f883e (username, one-way hash of the password)
What is one-way hash? It is a mathematical function that is fast to compute, but impossible to reverse.
You can reverse addition, subtraction, multiplication, etc. easily. But, it is hard to reverse an algorithm that is non-linear.
Simple example: If you know x you can easily calculate y, but if you know y there are at least two x values that match
More complex example: If you know x you can easily calculate y, but if you know y there are infinitely many x values that match
How does one log into a server if the server stores one-way hash of the password? Easy. The user inputs the password, the server applies one-way hash on it and just checks that the output matches what is stored in the password file.
Property of one-way hash: Changing just one character of the input changes many characters of the output. There is no regularity to leverage.
How does attacker guess passwords?
Come up with many guesses using dictionaries of common words and combining these words
Plug each guess into one-way hash (this function is well-known, it is not secret)
See if output matches anything stored in the password file
Page updated
Google Sites
Report abuse