Good point. How can Complyfile authenticate (prove) that you are who you say you are, when we don't have the ability to read your password?
We do it by following the same steps that were used when creating the login.
- The user must provide their username and login to get access to the site
- From the user name we can identify your salt
- From the user name we can identify the hashed version of your password
So, we append (attach) the
- (1)salt to the password they provide and
- (2)then hash it.
- (3)From that result (the result of attaching the salt to the hashed version of your password (the random set of numbers, FE12AFZE, following the earlier example given), we compare the result to the stored hash password for a match.
- (4)With hashing, the odds of two different keys (paswords) is statistically unlikely, so if we don't have the same hash value, then the user did not provide the correct password.
Thanks to laomedon whose reply to the online question What are hashed and salted passwords? formed the basis of this answer.