I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?

  • athairmor@lemmy.worldEnglish
    15·
    3 days ago

    Because, the hashing function is used before comparing.

    • Stored hash is “5f4dcc3b5aa765d61d8327deb882cf99”,
    • user sends “password”,
    • system runs the hash on “password” and gets “5f4dcc3b5aa765d61d8327deb882cf99”,
    • it matches, access is granted.

    If the user sends “5f4dcc3b5aa765d61d8327deb882cf99” the system runs the hash on that and gets “696d29e0940a4957748fe3fc9efd22a3”. Those don’t match. No access.