🦥How Do Passwords Actually Work?

Author

The Coding Sloth
March 04, 2025

Sponsored by

Hello friends!

Welcome to this week’s Sloth Bytes.

I hope you had a great week 😊

Stay up-to-date with AI

The Rundown is the most trusted AI newsletter in the world, with 1,000,000+ readers and exclusive interviews with AI leaders like Mark Zuckerberg, Demis Hassibis, Mustafa Suleyman, and more.

Their expert research team spends all day learning what’s new in AI and talking with industry experts, then distills the most important developments into one free email every morning.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Most of what we think we know about sloths comes from sloths in zoos

How Do Passwords Actually Work?

Have you ever wondered what happens to your password when you create an account?

I never thought about it until I started learning authentication.

For some reason I always thought they saved the password just like that and went along with my day (yeah I’m not the brightest… but you already knew that.)

What Happens When You Type a Password?

When you create an account:

  1. You type "ILoveSloths123!"

  2. The website doesn't save that text (I hope)

  3. Instead, it runs it through a "hash function"

  4. It stores the resulting gibberish: "$2y$10$MZB.."

Now when you log in again:

  1. You type "ILoveSloths123!" again

  2. The website hashes it again

  3. It compares the new hash to the stored one

  4. If they match, you're in!

What’s Hashing?

A hash function is a one-way mathematical function that:

  • Converts input of any length to fixed-length output

  • Always produces the same output for the same input

  • Makes it practically impossible to reverse-engineer the original input

  • Changes dramatically with even tiny input changes

Popular hash functions include:

  • bcrypt (designed specifically for passwords)

  • Argon2 (winner of the 2015 Password Hashing Competition)

  • PBKDF2 (used in many security systems) 

// Example of password hashing with bcrypt
const bcrypt = require('bcrypt');
const rounds = 10; // Work factor - higher is slower but more secure

// Hashing a password
const hash = bcrypt.hashSync('ILoveSloths123!', rounds);
// Result should look something like this: 
'$2y$10$g1GAMEpa.82KLk.EXy4PAuhFoXB2wS0.cB30i/4MANF72xl9pXVwi'

// Verifying a password
const isMatch = bcrypt.compareSync('ILoveSloths123!', hash); // true

Issues with only hashing

Even though hashing makes it a bit harder to access data…

It’s not enough.

For multiple reasons:

  1. Rainbow Tables: Attackers have pre-computed tables of hashes for common passwords.They can quickly look up your hash and find the original password.

  2. Fast Hashing Algorithms: Standard hash functions like MD5 and SHA-1 are designed to be fast, which means attackers can try billions of guesses per second on modern hardware.

  3. Identical Passwords: If two users have the same password, they'll have identical hashes—revealing who shares passwords.

  4. Hardware Acceleration: GPUs can calculate billions of hashes per second for common algorithms, making brute force attacks feasible.

Salt (yes even your passwords have seasoning)

A "salt" is a random string added to your password before hashing:

  • Makes identical passwords hash differently

  • Prevents attackers from using pre-computed tables (rainbow tables)

  • Is stored alongside the hash, not secretly 

// Without salt, they would have the same output!
hash('password123') = '8d969eef6ecad3c29a3a629280e686cf'
hash('password123') = '8d969eef6ecad3c29a3a629280e686cf'

// With salt, different hash outputs!
hash('password123' + 'example_SALT1') = 
hash('password123' + 'example_SALT2') =

Here’s how to salt your passwords in node: 

// bcrypt automatically generates and handles the salt
const bcrypt = require('bcrypt');

// Same password for two different users
const password = "ILoveSloths123!";

// First user's password hash
const salt1 = bcrypt.genSaltSync(10);
const hash1 = bcrypt.hashSync(password, salt1);

So Companies Don’t Just Have Our Passwords?

Yep… this is what their user database looks like for passwords: 

{
  "username": "Sloth",
  "password": "$2b$10$X9uTnSGSO8rK9R2zgUO3UuDjq4/x.1hZ/S8N1EKBnD0yDJjK6Ez4y"
}

Why Good Sites Never Know Your Password

  • They only store the encrypted password

  • They can verify you without seeing your password

  • If they get hacked, your actual password isn't exposed

  • This is why "forgot password" gives you a reset link, not your original password

With Alexa Plus, Amazon finally reinvents its best product (7 minute read)

Alexa has a new brain.

www.theverge.com/amazon-alexa/622172/amazon-alexa-plus-panos-panay-interview

OpenAI announces GPT-4.5, warns it’s not a frontier AI model (4 minute read)

OpenAI is calling the release its “most knowledgeable model yet,” but initially warned that GPT-4.5 is not a frontier model and might not perform as well as o1 or o3-mini.

www.theverge.com/news/620021/openai-gpt-4-5-orion-ai-model-release

Anthropic's Claude AI is playing Pokémon on Twitch — slowly (3 minute read)

Anthropic set its latest AI model loose on Pokémon Red. It turned into a fascinating experiment.

techcrunch.com/2025/02/25/anthropics-claude-ai-is-playing-pokemon-on-twitch-slowly

Young Coders Are Using AI for Everything, Giving "Blank Stares" When Asked How Programs Actually Work (3 minute read)

Young programmers "can't actually program" because they're too reliant on AI models.

futurism.com/young-coders-ai-cant-program

Everything you need to know about Tailwind CSS v4 (4 minute read)

Tailwind 4 is here! Learn all about the new features, breaking changes and installation options.

tailkit.com/blog/everything-you-need-to-know-about-tailwind-css-v4

Thank you to everyone who submitted 😃 

I’m feeling a little lazy this week, so I’ll give you all a break 😏 

2 videos came out if you didn’t know…

Check them out! (don’t worry the brain rot sloth is ending soon)

That’s all from me!

Have a great week, be safe, make good choices, and have fun coding.

If I made a mistake or you have any questions, feel free to comment below or reply to the email!

See you all next week.

Reply

or to participate.