SaraGonzales wrote:
I’m not really satisfied with the content of the explanation but I see your points. Thnx! 🙂❤️
A brief introduction to how passwords work:
- When you create a password your “plain text” password is processed by a computation conforming to standard SHA-2, called a “hash” algorithm that generates a very long string of characters (typically over 100).
- The hashed value (called a hash) cannot be used to determine the password you entered if a strong hash algorithm is used (SHA512 is one popular hash)
- Thus, your password is not stored anywhere in the site you are accessing, only the hash of it is, so the site can never tell you what the original password was.
- When you go to log in the server does the same computation, and if the result matches your password's hash you are allowed in to the site.
If the site is compromised and its user data is stolen typically the user IDs, personal data and the hashed values of passwords are stolen. However, there is a “brute force” way to find out the original password; simply try every combination of letters, numbers and punctuation with the hash algorithm until the result matches the hashed value of each password. With a powerful computer this will take only a few minutes for a short password (8 characters), but gets exponentially more complicated for longer passwords. By today’s standards a 20 character password is pretty secure, but with improvements on computing technology this won’t last forever.
When hackers have hundreds of millions of passwords to try to crack they will try the shorter ones first; as most people use 8-10 character passwords, this still gives the hackers tens of millions of accounts that they can breach. So your probability of having an account compromised is ultimately dependent on how long your passwords are.
Now on to how Apple, Google, or haveibeenpwned.com know if your password has been compromised. There are cybersecurity companies and individuals that search the “dark web” - the sites that cater to criminals - and buy the data stolen from compromised sites, and test the passwords. The results of their research are then shared with Apple, Google, Microsoft and other companies (and haveibeenpwned.com). When you use a password on your phone Apple can check the lists of compromised passwords collected by the cybersecurity companies, and tell you if it is on the list.
The next question is how Apple can know if you share passwords. There are 2 ways: If the password is already on a compromised list, it includes a count of how many times that password has been included in compromised data stolen from sites. The other way is the Keychain app on your phone, which stores the plain text passwords you enter. If you use Keychain the phone will fill in passwords for you, and the phone can search for duplicates. Note that none of this information goes to Apple; it is all on your phone, secured by your phone’s passcode and your Apple ID password if you enable iCloud sync for Keychain. Apple does not have access to your iCloud data, either, so there is no way Apple can know any of your passwords.
If you use Keychain your phone can also generate strong, random passwords when you create an account on a site, and store it in the Keychain. You don’t even have to know what these generated passwords are, because your phone fills them in.
