I\'m pretty new to this and find it quite interesting, but my brain won\'t proce
ID: 647576 • Letter: I
Question
I'm pretty new to this and find it quite interesting, but my brain won't process how it works so I have to ask some questions :)
1) Why is cryptography used? Is it for extra security once the password is stored inside a database, because the database would already be protected by a password?
2) How does it work in general in applications/programs? Is the password being encrypted and decrypted in the program itself?
3) If it was being encrypted and decrypted in a program itself, wouldn't it be easy just to inspect the code and reverse the process?
I know these are pretty basic questions, but I couldn't find any answers that really made any sense to me. Thank you for your answer :)
Explanation / Answer
There isn't one particular scheme for password security. You ask how cryptography is used, but for instance in basic HTTP authentication no cryptography is used at all.
1) Databases or database entries can indeed be encrypted. Usually this is performed by a (binary) key, not a password. If the database is used for authentication of users than usually a password hash is stored. When implemented correctly this password hash is calculated using a Password Based Key Derivation Function such as PBKDF2 or bcrypt.
2) Anything can happen in applications, there is no rule set how passwords are handled, it completely depends on the application itself.
3) If the key used to encrypt a password is stored in code then yes, it would be possible to reverse engineer the key or the data / password used to create the key. Of course passwords can be memorized and keys may be stored in device specific key stores, smart cards etc. How the keys are handled is called key management.