Introduction to cyber security: stay safe online
Introduction to cyber security: stay safe online

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Introduction to cyber security: stay safe online

1.1 What happens when you enter a password?

Download this video clip.Video player: ou_futurelearn_cyber_security_vid_1043.mp4
Skip transcript

Transcript

Speaker
When a user connects to the server for the first time, they may be asked to create a password so they can get access to the services available on the server. In this case, the user types in a simple password. To keep things easy, we're using the very simple-- and very bad-- password "apple." Your own passwords should be much harder to guess. The user's password is sent over the network and is stored in a database on the server. At some later date, the user wants to access the server again. They're asked for their password, and type in "apple." The password is sent over the network and compared to the stored password-- also "apple"-- in the server's database. If the two match, they're given access.
Any data passing over a network can be stored or intercepted. It's very easy to copy data on a network, so an attacker could make their own copy of the password. Once they have that, they can then log into the server masquerading as the original user. A second problem is that the database itself might be stolen from the server by hackers-- or even a disgruntled employee. If this were to happen, all of the passwords belonging to all of the users could be misused.
To prevent passwords being stolen in transit, we use a secure network link between the user's computer and the server which hides data using strong cryptography. One type of secure link is called SSL, which you'll have used, perhaps without knowing it, when shopping online.
It's much harder to stop the server's database being stolen. But we can obscure passwords using a technique called hashing. Hashing is a mathematical technique that scrambles a password to produce a so-called hash. So when the user creates a password, server turns the password into a hash. And rather than storing the password in the database, we store the hash. So when the user logs in next time, they enter their password, which is sent over the network. The server creates a new hash from the password and compares it to the stored hash. If the two hashes match, then the user is allowed into the computer. Crucially, hashing only works one way. It's not possible to simply undo the hashing to recover the original password. Even if the database is stolen, the attackers only have the hashed passwords, rather than the passwords themselves. If the attackers want to find out the original passwords, they'll have to hash every possible password and compare them to the list of stored hashes. This is an enormously time-consuming process.
End transcript
 
Interactive feature not available in single page view (see it in standard view).

If the password is transmitted from the user to the server as plaintext (what you see is exactly what you get; it isn’t hidden in any way) – it could be intercepted as it travels across the network.

This is usually overcome by encrypting the communication between the user and the server. The most common form of encryption is the Transport Layer Security (TLS) standard or the older SSL standard (Secure Socket Layer). You’ll recognise that TLS or SSL is being used when you see ‘https’ at the beginning of a web page address instead of ‘http’, and by a padlock symbol in your browser. (You’ll look at encryption and TLS and SSL more fully in Week 4.)

Another problem occurs if a password is stored on a server as plaintext. In this case a successful attack on the server would not only reveal the user’s password, but all the passwords for all the users of the system. However, when a user enters a password the server needs to be able to confirm that this is the correct password for that user before it grants access.

This second problem can also be solved using a technique called hashing. A hash with salt is the result of processing plaintext to create a unique, fixed length identifier – you’ll find out more in Week 5. It cannot be used to reconstruct the original data – even if the hash falls into hostile hands. In this scheme, a hashing function is used to create a hash of a password, which is stored on the server – the password itself is discarded. When the user enters a password, this is sent over the network and hashed on the server using a copy of the same hashing function. The resulting hash is compared to the hash stored on the password server. Only if they match will the user be granted access. Some implementations of this scheme will hash the user’s password before sending it across the network to be compared with the hash stored on the server.

Almost all online services and computer systems store passwords as hashes – but surprisingly, errors still happen. The problems described in the following case study could have been avoided if hashing had been used.

Case study: RockYou

The game and advertising company RockYou suffered a major security breach in 2009 when 32 million user accounts were compromised, revealing that not only did the company store passwords in plaintext, it encouraged insecure passwords by only requiring them to be five alphanumeric characters long.

RockYou’s problems were made worse when it became clear that they had known that their database was vulnerable to an attack for more than ten years. The company had previously been criticised on privacy grounds for sending emails containing complete lists of their advertising partners, and for poor security in issuing passwords through insecure email.

Over the years many billions of accounts have been breached and the data collected by criminals. These criminals then try the same user name and password on other accounts. If you have reused the same password then they may take over your account.

In 2016, a list of 593 million unique email addresses together with multiple passwords for each address was being circulated by criminals. This list was known as ‘Exploit.In’

You can check to see if your own email has been part of a data breach by visiting https://haveibeenpwned.com/ [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] . Later this week you will look at how to improve your password security.

Even when hashing and encrypted communications are used, there are still ways in which attackers can successfully learn your password.

CYBER_B1

Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371