If you’re like me, you use passwords to access many different sites on the internet. You may have an Amazon account, bank online, and have an email account or three.
Have you thought about how secure your passwords really are? I mean I assume all your passwords are different, aren’t they?
In order to understand password security, it helps a little to know how passwords are stored. There are two main options: cleartext and password hashes.
If an entity stores your password in cleartext that means anyone with elevated access to their system (something hackers gain all the time) can see your password directly. This is obviously a very bad thing for you, especially if you’re in the habit of using the same password across multiple sites. All a hacker then needs to do is try to use your found credentials on various sites and hope for the best (for him). What if a forum you normally post to is hacked and your password there (and username, whoops!) match your eBay credentials? You might be in a world of hurt.
Most reputable sites will hash your password. A hash is a mathematical process of converting your password into a seemingly random set of bytes. The difference between a hash and encryption is this: encryption is reversible; hashing is a one way operation. There is not supposed to be an easy way of determining a password based on its hash value. It is this hash value that is stored and becomes visible to any hacker, not your real password.
When you are challenged for your password, your response is then hashed. It is this hash that is compared to the password hash on file for you. If they match, the presumption is the password entered must be correct.
That sounds secure, right? To a point…yes. But here’s the problem. Hackers are stealing password hashes all the time and use techniques to break them (match hashes to passwords) and then publish them. A short password is extremely easy to break because the number of guesses required to find a matching hash is much lower than for a longer password, but a longer password that isn’t unique is easy to break, too. Why?
Password hackers use wordlists and “rules” to guess passwords in an attempt to match hashes. If your password has words or character patterns hackers normally look for, your password is not secure. If someone else had the same bright idea as you to use the same password and their password was hacked and published, yours is no longer secure because your password hash has already been matched with the password. Rules allow password hackers to make educated alterations to guesses to extend their chances for getting a match. Example: original guess: Charlie. A rule may look for Charlie00 to Charlie99.
There are ways that the good guys can still protect your password. One way you can protect yourself is by salting your password, which means random characters are added to your password to change its hash. But not everyone does this and you should not trust that your password is truly secure. Once your password is found, a hacker has access to your account and may try your credentials elsewhere; causing your problems to multiply should they succeed.
So what can you do to protect yourself? First, make sure every site you use has a different password. This way, if one site is compromised, your other passwords are secure. Second, make your passwords as random as possible. A password like “Charlie&Horse” is not secure. You may think it is, but hackers routinely account for random characters between, before, and after words when attempting to match a hash to a password, using rules as described earlier. A good method might be to use a phrase, such as (don’t use this now) “My mother’s maiden name is Cosplinger and she lives in Portland, Maine”; using the first and last character of each word (and that apostrophe) gives “Mym’smnneisCadselsinPdMe”.
The point is to get creative with your passwords, but in a way that you’ll remember and is hopefully totally unique to you.
By the way, how secure is your email password? You know the one the bank uses to communicate with you and verify your identity? Your email password is probably the most important one you have. Make sure it’s truly secure.
This post was inspired by an Arstechia article.