I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
Hash functions only work in one direction. By design, the outputs are not unique, so you can’t reverse it. For example, a simplified version might take any number and map it to a 1 digit number. So if you saw the result was 3, you can’t know if the original number was 976 or 2265.
Everything in security does just move the goal posts though, you’re right.
You can’t really use the hashed password to impersonate, because whatever server logic is there to authenticate users will hash it again. But the output from that, a token or cookie or whatever, can sometimes be grabbed and used maliciously. They usually have short lifetimes before they need to be refreshed, but beyond that I don’t know how the mitigations work tbh.
Another potential problem is attackers getting the hash, and comparing it to hashes of common passwords, dictionary words, etc. They apply ‘salt’ (changes to password before hashing) to try and make this harder.