Authentication is how a system answers one simple question: "Are you actually who you say you are?" Every time you log into Instagram, unlock your phone with your face, or type a PIN at an ATM, you're going through some kind of authentication. This topic digs into how passwords are stored securely (spoiler: not as plain text), how attackers try to crack them, the different types of "proof" you can use to identify yourself, and the settings admins tweak to make logins way harder to break.
Why Passwords Are Stored as Hashes
Imagine a company saves every user's password in a giant spreadsheet that just says username: password. If a hacker steals that file, game over. Every single account is exposed instantly. That's why no decent system stores passwords in plaintext. Instead, they store hashes.
What a Hash Actually Is
A cryptographic hash function (also called a message digest function) is a math algorithm that takes any input (a word, a file, a whole movie) and spits out a fixed-length string of bits called the hash, checksum, or message digest. The input can be any size. The output is always the same length for a given function.
Some well-known hash functions you should recognize:
- MD5
- SHA-1, SHA-256, SHA-512 (SHA stands for Secure Hash Algorithm)
- NTHash
- RIPEMD-160
For example, running the word password through SHA-256 always gives you the same 256-bit output. Run Password (capital P) and you get something totally different. Even one tiny change flips the whole hash.
The Four Properties of a Good Hash
A solid cryptographic hash has four key properties:
- Collision resistant: It's hard to find two different inputs that produce the same hash.
- Pre-image resistant: Given a hash, you can't reasonably figure out the original input. Hashes are one way.
- Repeatable: The same input always produces the same hash. (This is what makes password checks work.)
- Fixed length: No matter how big the input, the hash is always the same length for that function. SHA-256 always gives you 256 bits.
Collisions and Why MD5 Got Killed
An n-bit hash has possible outputs. Since there are infinite possible inputs but a limited number of outputs, two different inputs will eventually produce the same hash. That's called a collision.
A good hash function makes collisions super hard to find on purpose. But if researchers figure out an efficient way to force collisions, that hash function is deprecated, meaning it's no longer considered safe. MD5 and SHA-1 are both deprecated for this reason. You'll still see them around, but nobody should be using them to protect new systems.
How Hashed Password Login Works
Here's the flow when you log in:
- You type your password into the login box.
- The system runs your password through the hash function.
- It compares the new hash to the hash stored in the user database.
- If the hashes match, you're authenticated. If not, access denied.
The system never has to store your actual password. Even an admin looking at the database just sees a string of random-looking characters.
Salt: Why Two Users with the Same Password Get Different Hashes
There's still a problem. If two users both pick password123, their stored hashes would be identical. An attacker who sees matching hashes in the database knows those users share a password. They could also pre-compute hashes for common passwords and instantly spot matches.
The fix is salt: a few random bits added to each user's password before hashing. Every user has their own unique salt, so even if two people pick the exact same password, their stored hashes look completely different. Salt also makes pre-computed attack tables (we'll get to those in a sec) way less useful.
How Password Attacks Work
If an attacker steals a legitimate user's password, and that account doesn't have MFA or other protections, the attacker gets to act with all the same access and rights as the real user. That could mean reading emails, transferring money, or pivoting deeper into a network. So how do attackers actually get passwords?
Online vs Offline Attacks
Password attacks split into two big categories:
- Online password attacks: The attacker tries username and password combos against a live login portal (like the actual login page of a website). These are slower and noisier because the system can detect failed logins, lock accounts, or rate-limit.
- Offline password attacks: The attacker has already stolen a user:password database (the hashes) and runs attacks against it on their own computer. No lockout protections apply here because they're not touching the real login system anymore.
Common Online Attacks
Credential reuse attacks are super common. People reuse passwords across sites all the time, even though they shouldn't. When one company gets breached and their user database leaks online, attackers grab those leaked credentials and try them on other sites. If you used the same password on a random forum and your bank, you're in trouble.
Password spraying is when an attacker takes one common password (like Summer2024!) and tries it against tons of different accounts. Because they only try one or two passwords per account, they avoid triggering lockouts.
Credential stuffing is when an attacker uses default credentials or stolen credentials to try to break into services or devices. This works scary well on things like switches, routers, and IoT devices that ship with default admin passwords like admin:admin that people never change.
Offline Attacks: Cracking Stolen Hashes
Once an attacker has a captured hash, they can't reverse it (remember, hashes are pre-image resistant). But they can guess. Automated hash-cracking tools hash tons of potential passwords and compare each output to the target hash. If they find a match, they know the password that generated it.
- Brute force attack: The tool tries every possible password combo:
aaaa,aaab,aaac, and so on. Guaranteed to work eventually, but takes forever for long, complex passwords. - Dictionary attack: The tool tries a list of common passwords (
password,qwerty,letmein,iloveyou) plus variations. Way faster than brute force if the user picked something predictable.
Rainbow Tables
A rainbow table attack uses a precomputed rainbow table, which is basically a giant lookup table. Each row contains a potential password and its hash, sorted by hash value. The attacker takes the captured hash and searches the table for a match. If they find one, they instantly know a password that produces that hash.
Rainbow tables save time because the attacker doesn't have to recompute hashes during the attack. They did all that work ahead of time. This is exactly why salt matters so much: salted hashes break rainbow tables, because the attacker would need a separate rainbow table for every possible salt value.
Types of Authentication Factors
Authentication mechanisms are the technical controls that verify a user's identity. The actual proof a user provides is called a factor. There are four main types.
Knowledge Factor (Something You Know)
A knowledge factor is information only the user should know: passwords, PINs, or answers to challenge questions like "What was the name of your first pet?"
The tradeoff here is annoying: a password that's hard for an attacker to guess is often hard for the user to remember. Tr0ub4dor&3 is way more secure than fluffy, but you're more likely to forget it.
Possession Factor (Something You Have)
A possession factor is a physical object unique to the user. Examples:
- An access card to enter a building
- A debit/credit card
- A cell phone (used to receive a text code or run an authenticator app)
- A hardware authentication token like a YubiKey
The harder it is to steal or copy the object, the better. A hardware token that can't be cloned is more secure than a text message code (which can be intercepted via SIM swapping).
Biometric Factor (Something You Are)
A biometric factor measures part of your body. Common examples:
- Fingerprints
- Palm prints
- Facial recognition (like Face ID)
- Iris or retina scans
- Voice identification
These are tough to duplicate because they're unique to you. Downside: if your fingerprint data gets leaked, you can't exactly change your fingerprints.
Location Factor (Somewhere You Are)
A location factor uses things like Wi-Fi signals, GPS data, time zone settings, or IP address info to figure out where you are. A bank might block a login attempt from a country you've never visited, or a company might only allow logins from inside the office network.
Multifactor Authentication
Multifactor authentication (MFA) means using more than one factor type to authenticate. Logging into your school account with a password (knowledge) and then approving a push notification on your phone (possession) is MFA.
This is way more secure than single-factor authentication because an attacker would need to compromise two different things at once. Stealing your password isn't enough if they also need your physical phone.
Quick clarification: two passwords is not MFA. That's just two knowledge factors. Real MFA combines different types of factors.
Configuring Secure Login Settings
Admins can configure login policies to make systems way harder to crack. Here are the main settings you should know.
Password Complexity
Requiring complexity means new passwords must include characters from multiple character sets:
- Uppercase letters (A through Z)
- Lowercase letters (a through z)
- Numeric digits (0 through 9)
- Special characters like
!,@,#,$,%,&,*
A password drawn from all four sets is dramatically harder to crack than one using only lowercase letters. password is trivial. P@ssw0rd! is still bad but at least takes longer.
Minimum Password Length
Setting a minimum password length forces users to pick passwords of at least a certain number of characters. Length matters a lot for cracking time. Each extra character multiplies the number of possible combinations an attacker would have to test. A 12-character password takes way longer to brute force than an 8-character one.
Maximum Password Age
A maximum password age policy makes users change their password every X days, usually 90 or 120. The idea is that if a password was secretly compromised, regular changes limit how long an attacker has access.
There's a catch though. Some modern standards actually recommend against forced rotation, because users tend to develop predictable patterns like PasswordFall2024, PasswordWinter2024, PasswordSpring2025. An attacker who knows the pattern can guess the new password easily.
Password History
Systems can also be configured to store a certain number of previous password hashes (commonly the last 5 to 10). This prevents users from just recycling the same password every time they're forced to change it. If you try to set your password back to one of your old ones, the system says no.
Lockout Period
Setting a lockout period locks an account after a certain number of failed login attempts, often 3 to 5. The account stays locked for some amount of time (a few minutes, an hour, or until an admin unlocks it).
This stops online brute force and password spraying cold. An attacker can't just sit there guessing forever because after a handful of wrong guesses, the door slams shut. Note that lockout doesn't help against offline attacks, since those don't touch the live login system at all. That's why hashing, salting, and strong passwords still matter even with good lockout policies in place.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
account lockout | A login setting that temporarily disables an account after a specified number of failed login attempts to prevent adversaries from conducting brute-force password attacks. |
authentication mechanism | Technical controls that verify the identity of a user to ensure that only authorized users access a system. |
biometric factor | An authentication factor that measures unique features of the human body, including fingerprints, palm prints, facial recognition, iris or retina scans, or voice identification. |
brute force attacks | An attack method where an adversary attempts to guess an encryption key by trying many possible combinations until finding the correct one. |
collision | An occurrence where two different inputs produce the same hash output from a cryptographic hash function. |
collision resistant | A property of cryptographic hash functions where it is difficult to find two different inputs that produce the same output. |
credential stuffing | An attack where default or previously compromised user:password combinations are attempted in rapid succession on a device, typically from the same IP address. |
cryptographic hash function | A mathematical algorithm that takes binary data of arbitrary length and outputs a fixed-length binary string, used to securely process and verify data. |
default credentials | Preconfigured usernames and passwords that come with services and devices such as switches, routers, and IoT devices. |
deprecated hash function | A cryptographic hash function that is no longer used in secure settings because an efficient collision-forcing algorithm has been discovered. |
dictionary attacks | Offline password attacks where an adversary uses automated tools to test a list of common passwords. |
factor | The proof a user provides to identify themselves during the authentication process. |
hash | A fixed-length binary string output produced by a cryptographic hash function from an input of arbitrary length. |
hash-cracking tools | Automated tools used in offline attacks to hash potential passwords and compare them against captured hashes. |
knowledge factor | An authentication factor based on something the user knows, such as passwords, PINs, or answers to preselected challenge questions. |
leaked credentials | Usernames, emails, and passwords that have been stolen from an organization's database and made available to adversaries or posted online. |
location factor | An authentication factor that uses information about Wi-Fi signals, GPS data, time zone settings, or IP address information to determine a user's location and allow or deny access accordingly. |
maximum password age | A login setting that prompts users to change their password after a specified number of days (typically 90 or 120 days) to reduce the risk of compromised account access. |
Message Digest 5 | A cryptographic hash function that is now deprecated due to vulnerabilities in collision resistance. |
minimum password length | A login setting that requires passwords to contain at least a specified number of characters to increase resistance to cracking attempts. |
Multi-factor authentication | Multi-factor authentication; a security measure requiring multiple forms of verification beyond just a password to authenticate a user. |
multi-factor authentication | A security method that requires users to provide multiple forms of verification to authenticate and access a system. |
offline password attacks | Password attacks that occur on an attacker's own computer using stolen password hashes, making them undetectable through log file analysis. |
online password attacks | Password attacks that attempt user:password combinations directly against an active authentication portal. |
password attack | Adversarial techniques used to compromise user passwords and gain unauthorized access to accounts or systems. |
password complexity | A login setting that requires passwords to include characters from multiple character sets (uppercase letters, lowercase letters, numeric digits, and special characters) to increase password strength. |
password reuse prevention | A login setting that prevents users from reusing previous passwords by storing and checking against a history of past password hashes. |
password spraying | An attack where many users are targeted with common passwords from one or a few IP addresses, often to avoid detection by spreading attempts across multiple accounts. |
plaintext | The original, unencrypted information that is input into an encryption algorithm. |
possession factor | An authentication factor based on something the user has, such as an access card, bank card, cell phone, or authentication token. |
pre-image resistance | A property of cryptographic hash functions where it is infeasible to determine the input that generated a given hash output. |
rainbow table | A precomputed table containing common passwords and their corresponding hashes, sorted by hash values for efficient lookup. |
rainbow table attack | An attack that uses a precomputed table of common passwords and their hashes to quickly identify matching passwords from captured hashes. |
salt | Random bits added to a password before hashing to ensure that identical passwords produce different hash outputs for different users. |
Secure Hash Algorithm 1 | A Secure Hash Algorithm that is now deprecated due to vulnerabilities in collision resistance. |
Secure Hash Algorithm 256 | A Secure Hash Algorithm that produces a 256-bit hash output and is currently considered secure for cryptographic applications. |
Secure Hash Algorithm 512 | A Secure Hash Algorithm that produces a 512-bit hash output and is currently considered secure for cryptographic applications. |
single-factor authentication | An authentication system that uses only one factor to verify a user's identity. |