The innovation is coming thick and fast at Sutton Active. We’ll be celebrating our sixth anniversary online soon so I thought it was high time to allow people to change their passwords themselves when they’ve forgotten them rather than emailing me to do it for them.
So, no more waiting hours, days or even weeks (sorry!) for me to get around to creating you a new password. Just go to the forgotten password page and do it yourself.
As before, there’s no way of getting your old password back. If you’ve forgotten it, just create a new one (and it doesn’t matter if coincidentally it’s the same as the old one).
People sometimes ask, “Why can’t you get my old password back? Surely you must know what it is otherwise you wouldn’t know if I’d got it right when I sign in.”. It’s a good question, so if you’re interested in the technical details, read on.
All of Sutton Active’s data, including your membership info, is stored in a database. When you join the site for the first time or if you change your password, we don’t store your password in the database. Instead, we run it through a one-way mathematical process called a hashing function to turn it into a very big number that looks like gobbledegook, and then we store that big number in the database.
So if you choose the password “banana”, the hashing function turns it into 250e77f12a5ab6972a0895d290c4792f0a326ea8. That’s what we store in the database in your member record. The hashing function is called SHA1 and the number is written as hexadecimal, or base 16 rather than the usual base 10. The password you chose is simply forgotten about – we don’t store it anywhere.
How do we check your password when you sign in? We take the password you typed into the sign in box and run it through the same hashing function as we used to store your password in the database. So your “attempted” password is now encoded in the same way as the stored password. If the two big numbers match, we know that the password you typed is your real password. If they don’t match, then you don’t get to sign in. A hashing function will always produce the same result given the same input, so this works reliably. There’s nothing random about it.
Why do we bother? Sutton Active isn’t as sensitive a website as say your online banking but we do our best to give a reasonable level of security. Many people use the same password on many websites, including more sensitive systems such as their email account and quite frankly we really don’t want to know what those passwords are. So if someone breaks into Sutton Active, it makes it that little bit harder for the hacker to do anything useful with the data.
Like all security measures, password hashing isn’t foolproof. If an unauthorised person got hold of a copy of the Sutton Active database, there are various ways that can be used to try to reverse the hashed passwords and recover the original ones. This is particularly easy if your password is just a standard dictionary word, which is why you shouldn’t use “banana” (or for that matter, “password”) as your password. Password hashing is the security equivalent of putting a lock on your front door. It deters casual attacks and makes life that bit harder for the determined attacker. Worth doing, but if you need Bank of England-style security, look elsewhere.
