Steps 3 and 4 repeat every time someone tries to login to their account.If not, the user is told they entered invalid login credentials. If the hashes match, the user is granted access.When the user attempts to login, the hash of the password they entered is checked against the hash of their real password (retrieved from the database).At no point is the plain-text (unencrypted) password ever written to the hard drive. Their password is hashed and stored in the database.
The general workflow for account registration and authentication in a hash-based account system is as follows: This is great for protecting passwords, because we want to store passwords in a form that protects them even if the password file itself is compromised, but at the same time, we need to be able to verify that a user's password is correct. They also have the property that if the input changes by even a tiny bit, the resulting hash is completely different (see the example above). They turn any amount of data into a fixed-length 'fingerprint' that cannot be reversed.
