Do you know my account password?

Short answer: no, because we don't know it!

Complyfile employs a password security methodology called 'salted hashing' for users' passwords. The hashed part means that when a login is created for a system, the corresponding password isn't saved as plain text. Instead of plain text, the password is 'hashed' using an algorithm, so if your password was "Mary5" the hash might look something like FE12AFZE.

Hashing is a one-way cryptographic strategy, so you can't re-trace someone's steps directly to get the password "Mary5" back from the 'hash value' (that long string of letters and numbers, in the example above FE12AFZE. Hashing is a good first line of defense as it makes it more difficult for the password to be exposed to a malicious user. The problem is that some of the strong hash functions in the programming world have already been brute force attacked, so you can find or create a reverse lookup (a re-trace of someone's steps) and get "Mary5" back out from the hash.

This is where the 'salted' bit comes in.

When someone creates an account in Complyfile, or completes the volunteer application form, each user is assigned a random salt value that is:

  • prior to hashing
  • appended (attached) to their password,

thus making the brute force attack that much more difficult.

Did this article help you?