# How Password Securing Interface Works /arc-anglerfish-arc2-prod-mco.s3.amazonaws.com/public/YU7KHDITR5HJ7IDCT7ZH5OVLFM.jpg) Source: [MilitaryTimes](https://www.militarytimes.com/pay-benefits/military-benefits/health-care/2020/02/19/hacker-group-targeted-law-firms-released-veterans-stolen-data-related-to-ptsd-claims/) ## Prologue *If you haven't seen it yet, an implementation of this algorithm can be found [here](https://password-securing-interface.adriangjerstad.repl.run).* Ever since the first malicious attack on an infrastructure or network was performed, engineers and mathematicians around the world have created algorithms, ciphers, or codes that help hide personal information. These codes were broken, and engineers and mathematicians built even stronger codes. Today, we live in a world where security is being attacked constantly. Our encryption defenses can stave most of these off, but simple mistakes made by cybersecurity amateurs end up costing billions of dollars in stolen data for company owners and investors. Make no mistake of it, people are brilliant. Some just decide to use there mind for evil. Every code we create can either make or break security. This is why security patches are the most common types of updates on countless popular operating systems. The worst part is: you don't have a choice as to who makes the calls in terms of the security of your personal information. Security is our number one priority when it comes to our identity. And that's where you come in. By creating secure, sometimes even random passwords, you are keeping hackers out of your data for a few more years. Picking the right password, now that's a challenge. Using an algorithm like this, though, makes it matter just a little bit less, keeping our minds at rest for another day. ## The Algorithm This variation of the salting-hashing algorithm many major tech companies like Google and Apple can be run down to just a few simple steps. And trust me when I say, it is tough to get through. ### Salty Passwords? A large part of what makes this algorithm so great is the salt. No, it's not a grain of table salt in your computer that keeps your passwords private, instead, it's a random list of numbers from 0 to 255 called bytes in a string. The integrity of this value is what makes the difference. To understand that, you need to understand how computers generate random numbers. There are two kinds of random number generation; Pseudo-Random Number Generation, and Cryptographically Secure Random Number Generation. That first generator is the kind you find on Google's random number generator, or the kind you used when you first learned about random numbers. The problem with this is that the computer is simply giving you a long list of numbers, and it goes back to the beginning when it reaches the end. The second kind, as the name might suggest, is what we're looking for. It runs on a single number in your operating system called the entropy pool. When I say **“Your computer is watching you... ,”** I mean it. But don't worry; it's all for a good cause. Your cause, in fact. The operating system on your computer grabs the exact time you open arbitrary applications or complete other actions, and uses the milliseconds and nanoseconds to add to your entropy pool. When you want to generate a random number a certain amount of entropy is taken from the pool, and run through an algorithm to give you your number. The amount of entropy required can be determined through some quick exponentiation. To find the amount of entropy required to create a random number, take the number of possible outputs, and take the binary logarithm of it. For example, a number between 1 and 256 takes 8 bits of entropy to generate. (Just for reference, a password should have upwards of 128 bits of entropy, or greater than 3.5×10³⁸ possibilities). Back to the main point, which is generating a salt for our hash. A general salt would be a set of 16/32 random bytes, with 48/96 bits of entropy. After this, we append it to the password for the next step. ### Hashbrowns, Anyone? Instead of potato shreds, a hash (when used in parallel with terms from computing) is thought of as a one-way encryption algorithm that doesn't require a key. It can also be thought of as an algorithm for generating a unique, fixed-size value for any given input. However you think about a hash algorithm, it still provides a great liberty when storing passwords. With it, there are no worries when a database breach occurs, because all it does is leak the hash of your password. Think fast, though, because super computers can crack hashes extremely quickly, so it is important that you not only change your password quickly, it should also be a temporary password that takes up hundreds of characters, so as to avoid a break-in. With these hashes, however, comes a flaw. Because their result is fixed-width in nature, there are only so many combinations you can try before you're practically guaranteed to have duplicates. Modern security systems fight this by using hashing algorithms with an output that has an even distribution across all possibilities, and have longer outputs. Generally, given the nature of exponentiation, adding a few extra bytes to the output each time the previous scheme is broken should be enough. It should also be noted that creating these algorithms, takes tons of skill, effort, patience, and above all else, math. Not to mention the fact that it can be nearly guaranteed for every homeowner in America that no one has enough computing power in their home to test these new algorithms. The final thing to take note of is that these hashes can in some cases be computationally expensive. In other words, it can take quite a bit of time to calculate these hashes, which is what makes PSI work. (Quite a while in the computer world for algorithms like these could still be less than a couple of milliseconds.) ### In The Loop Now to get to the interesting part. PSI calculates a secure hash 1,000,000 times per check. Yes, you read that right; 1 million times. With this in mind, it takes a relatively quick processor a second to check a possible password against the one in a database. This ratio is far better than the nearly 1,000 checks per second a moderately fast computer can compute. Continuing, dictionary attacks generally have to use thousands of checks on each password before it can get even weak passwords. With this, we can turn five seconds into 5,000 seconds for hackers. The best part is that a computer can't take any shortcuts when computing any part of the mapping. This is because the output of a prior hash gets fed into the input of the current hash function, along with the salt. Since it is still inconcievably difficult to get a pair of inputs that, when hashed, result in the same output, it's not even worth trying when you consider the loop of 1 million. ## A Quick Explanation for the Computer Science Nerds At the beginning of the check function, you create a variable that consists of the password's bytestring as derived from [UTF-8](https://en.wikipedia.org/wiki/UTF-8) followed by the salt. After this, a loop begins. In this loop, the variable we set just now becomes the output of the hash of it. It is implied that the output of the hash is a bytestring. We then append the salt back onto the end of the variable, and we are ready for another run through the loop. 1 million loops later, we finally arrive to the finished hash, with an additional salt on the end. All that we have to do now is check if our result hash (removing the salt from it) is equal to the hash we found in the database. If it is, then the password you entered all of the way back at the beginning, was correct. ## Epilogue We're done! You made it to the end! Now for a quick summary. In this document, you learned that PSI can generate a mapping for every password you throw at it, and that it's super power is being computationally expensive, so that anybody who tries to attack will have to wait. ## Footnotes - PSI and other terms coined in this document may or may not already be official terms used in other fields. - As the speed of computers increases, so will the need for more loops, so legacy systems may be broken. *[PSI]: Password Securing Interface *[mapping]: The pair of hash output and salt from a database