<\/td><\/tr><\/table><\/p>\nSo, Sony Online was hacked. Again<\/a>. The data stolen includes: Name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed<\/strong> password. So the passwords were hashed, which indicates they aren’t completely<\/em> incompetent. <\/p>\n Here is what hashing means:<\/p>\n Hashing takes a chunk of data and, using the magical machinations of math, turns it into a big jumble of nonsense. For example, there is a particular hashing algorithm called MD5<\/a>. In PHP, you can run a common string of characters through MD5 and get a nice random-looking hash out of it. If I give it the word “password”, it gives the following string:<\/p>\n 5f4dcc3b5aa765d61d8327deb882cf99<\/tt><\/p>\n If I give it “passwordx”, then it gives me a different hash:<\/p>\n 3bd27bf850cc36a34ce3b7f0cca6d6b0<\/tt><\/p>\n The idea is that a properly secured system will never, ever store the user’s password to disk. As soon as you create your account on a new forum, the password is hashed, then<\/em> stored. This is why a forum can’t tell you your password if you lose it. It will only allow you to set a new one. It can’t tell you the old password because it doesn’t know it. When you log in, the password you entered is hashed. That hash is compared to the hashed password in the database. If they match, then the original words or phrases must have matched, and therefore you entered the correct password. This is how the forum can verify that YOU have the proper password, even if the forum itself doesn’t have it.<\/p>\n EDIT: No, you CAN’T reverse a hash. See the comment from Joshua Kronengold<\/a> below. Learn something new every day.<\/p>\n But still. So what if the hacker has to wait five seconds for each password? Big deal. That’s not much of a deterrent. Their consumer-level PC will churn them out at the rate of 17,280 a day, which is probably faster than anyone can put them to use. Sure, getting all one million users will take either a long time or a lot of computers, but saying “they can only hack seventeen thousand people a day” doesn’t really inspire confidence. No, we need something more. We need salt.<\/p>\n
\nBeware of any system that can tell you your own password. That means they don’t hash their passwords. If they get hacked, the hacker will have your real password and can use it elsewhere. <\/p>\nNow, you CAN reverse a hash. Go here<\/a>, type in one of the hashes above, and you’ll get the original password back out. Since it’s math, you can get the original by reversing the steps. So it’s not completely secure. HOWEVER, for reasons of mathematics that goes completely over my head<\/a> these algorithms are “easy” in one direction and “hard” in the other. It will take a small number of CPU cycles to hash, and a large number to un-hash. That way your web server can keep up with people logging in, but a hacker will need a lot of computing power if they want all the passwords.<\/del><\/p>\n