Client Pay Portal
 password security

Facebook Doesn't Know Your Password- Huh?

Security! We often only think about computer security only when something bad happens and it hits the news. Hackers stealing thousands of credit card numbers from Target or Home Depot, a computer virus spreading around the world, or an unscrupulous company selling personal information. But computer security is a big deal even when it doesn't make national news, and the good thing is that you don't have to be a computer guru to protect yourself. Just being aware of potential issues can go a long way to making sure your computer or network are less attractive to deviants and malware, and they'll go looking somewhere else.

In fact, October is National Cyber Security Awareness Month (quite a mouthful!). This is a program sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. Its entire premise is that with some simple practices we can dramatically increase the security of our national cyber infrastructure.

In this blog post I want to talk about passwords. Maybe in a few years passwords will be a thing of the past, and we'll all be thumbprint and retina scanning, but for now passwords are a necessary part of everyday life. Here's something interesting about your password: Facebook doesn't know your password. Neither does Microsoft, Apple, Google, Quick Books online... You name it. Any reputable cloud service does NOT store your password. So how do they know if you typed in the right password? Through an awesome thing called "Hashing". They don't store your password, but they do store a hash of your password.


What is hashing? Hashing is where you take a word (or any combination of letters, numbers and symbols), run it through a special mathematical formula, and you get back a very complicated string of letters and numbers that look nothing like your original input. The important part about this process is that it is very easy to do it in one direction (get the scrambled text from a password) but virtually impossible to do it in the other direction (extrapolate the password from the scrambled text). How about an example?

Imagine I have two numbers... Let's say 53 and 97. If I multiply them I will always get 5141. It's easy to multiply them by each other, it takes just a few seconds, and the answer will always be the same. But if I ask you to figure out what two numbers multiplied together make 5141 it's much harder and will take much, much longer to figure out. There's no easy way to get 53 and 97 from 5141 except through crunching lots of numbers and eliminating the ones that don't work. This is essentially how password hashing works, but on a much larger scale, with a much more complicated formula.

When you sign up for Facebook or an Office 365 account they ask you to type in a password. That password is then crunched through a hashing algorithm, and they store the scrambled nonsense in their servers. Next time you log in you type in your password. Again, the password is processed through the same formula, and the exact same scrambled nonsense comes out the other end. Facebook/Microsoft/Apple/Google/et al then check to see if the hash (scrambled nonsense) matches the one they have in the database. If it matches they let you in. If not... Try again! This makes for great security. If the server ever gets compromised, the hacker won't ever get your password, just a useless bunch of nonsense that would literally take hundreds of years on a supercomputer to decode back to your actual password.

This is why when you click the button labeled "I forgot my password" they send you an email with a link to reset your password instead of just telling you what it is. They don't know what it is! In fact, if any online service ever emails you your password (or if a customer service rep asks you for your password) RUN LIKE THE WIND! They are a disaster waiting to happen.

In my next post I will give you some practical advice on how to make your passwords, and in turn your computer, phone and network, more secure.


Samuel O. Blowes, Director of IT
Samuel O. Blowes

Director of IT