 I'm here from Warren systems and I want to talk about how password managers hash Your master password in the browser and I bring this up because there's just confusion that I see Frequently when I've talked about password managers of how do they manage to not have all of your data in a unencrypted form and Essentially what they're doing is hashing it in the browser prior to sending it to them Now it's very important to understand where this is taking place as an in-year browser versus on the server side So prior to data being sent to the server. That's where it's happening So inside your browser prior to any data transferring over to them They take your password and they're going to hash it now I've used the word hash a couple times and I will leave a couple links to these videos here Computer file did a great job of explaining how password hashing works So it'll be an assumption that you understand this or we'd like to pause here and go watch those videos and Tom Scott I think does such a great job of explaining things a big fan of the whole computer file channel and all that crew over there but let's get back on topic and Talk about how passwords are sent on a normal website such as my forum So this is forums. Lawrence systems comm and this is a typical way logins are sent now My site does use hashing in the back end, but that hash is occurring server side So let me explain when we go here and click log in now This is the developer tools This is built into chrome that you see on the side over here on the right side We're gonna head and hit record on the network part because we want to capture the data Now you may be asking how about the data if you know, you were to sniff the packets well first that's solved by using encryption via the Certificate and the certificate means that the data in flight the data that is going between this browser and my server is Completely encrypted so that protects us from that aspect in terms of being able to inspect the data So a packet sniffer won't gather this password because of that encryption But it does have to be decrypted inside the browser not even on the system here that I'm using but specifically in the browser So here is the data. It's collecting. There's some polling going on in the back But let's go ahead and use test at test comm Test 1 2 3 and then we'll do exclamation point at sign pound. There we go Login, which that's not a valid Login so we failed. All right, now we're going to stop recording and let's see what was captured here So like I said, this is happening in the browser That's why we're able to see this because the transport layer itself is encrypted So we submitted there's the remote IP we submitted to which is the IP address that was resolved for my forums and we scroll down here and There is the login test at test comm password is test 1 2 3 and exclamation point at sign pound Now what happens here is the server took this and then hashed it and compared it to the known stored hash and decided Well, they're not those two matched and if they matched we have a successful login Well, there's actually another two-factor it'll come up after for if you have your forum set up with two factor Which I do but either way this is that next step Do you want to get there? But that does mean the password of test 1 2 3 and the symbols did go across to the server side Now password managers bit. We're not going to use as an example But they're not the only ones doing this But I wanted to demo this to show you how you can look yourself and see what is actually being transmitted We're gonna do the same thing We'll put in test at test comm test 1 2 3 and And This is the password that we can see right here So go ahead and hit login and errors occurred. Yep. We know we did not get in because that's not valid Which is good. I was hoping that wouldn't work All right, we'll scroll down here and we see grant type password username So they do have your username field, which is just your email address But the password was hashed. This is occurring in the browser the scripting they use in Creates the hash prior to send that way the only thing you're doing is comparing whether or not the hash matches Not your actual password and this is very important in terms of being able to understand why They don't keep your password and why they're not taking your password server side because if they were to take it server side then there would be an opportunity for them to snag your password and snagging the algorithm that does it is much more complex back to if you didn't watch those videos watch Those videos about hashing algorithms work, but because they're only doing that level of comparison to decrypt it It is not something they can do. They only have the hash stored They are not storing the actual password to your master password to the vault that does the decryption And they do this by sending over a series of scripts browsers are Way more extensive than they were when I started 20 something years ago And I dealt with some of the very earliest browsers They're able to run languages within inside them that allow this level of programming to happen And this level of coding to hash it So if you're curious whether or not your password manager or whatever you're using is sending a hash of your password Or your actual master password as you have to do In the case of chrome for example here is open up the developers council pressing f12 I know if this exists in mozilla firefox as well I forget the shortcut key to it easy enough to google that And then you can look through and see what's happening and what's actually being sent Matter of fact playing with developer council can be a real rabbit hole Just for all the different things that your browser sent and all the different network connections makes But that's a topic for another time. All right. Thanks And thank you for making it to the end of this video. If you enjoyed this content Please give it a thumbs up if you like to see more content from this channel Hit the subscribe button and the bell icon to hire a sure project head over to laurance systems.com And click on the hires button right at the top to help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos Including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly So check back frequently And finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you. In the meantime check out some of our other videos