Passwords are required everywhere online. So many websites require some sort of log-in now that the average user is likely to have dozens, if not hundreds, of passwords. So, how do you keep track of so many? How do you keep them safe? Also, how do you decide on a secure password to start with? I hope to answer many of these questions here. But in order to do so, I must answer several you don’t already have.
How are Passwords Compromised?
Many people have the mistaken idea that a potential attacker gains access to your account by trying to log in and then guessing lots of passwords. While that does happen, such attacks usually come from an amateur trying to access a specific account. Most data compromises are far less personal. Thousands, even millions, of accounts can be compromised at once. Then the hacker(s) use that information in many ways, often selling it to individuals intending to commit identity theft.
Most data breaches of passwords data occur en masse. When you try to log in to your account, it takes a certain amount of time. You must enter your username and password, then wait. There might be a captcha to prove you’re a human. All of this login process takes time. In addition, most systems will disable the account for at least a short time if there are too many failed log-ins. This makes the direct approach rather useless for someone wanting to sell your private data.
There are other ways that passwords can be compromised. Some of these methods will be discussed later. However, the vast majority of password compromises come from compromised password databases on corporate sites.
How are passwords stored?
In order to understand how to create passwords, we first must understand how hackers compromise them. To do that, we must understand how passwords actually work.
The simplest way to create and store a password is to keep it in plain text in a file somewhere. Then, when you type in your password, the system simply compares the contents of the password bar to the contents of the password file. Early passwords may have worked that way. However, it is an extremely insecure method of storing passwords. Anyone who gains access to the password storage file suddenly knows every password for every user on that system. Because of this liability, this method is a very bad way to store passwords.
Of course, the system still needs a way to verify if the password you entered is the password set in the system. To accomplish this purpose, computer programmers created a little mathematical marvel called a hash. Hashing something is mathematically comparable to encrypting it (but not the same thing). Theoretically, you cannot undo a hash. Certain kinds of hashes (and there are many kinds) will take any input and spit out the same length of characters no matter what.
Now, with a hashed password, the system doesn’t actually know what your password is. However, it can take your password attempt, run it through this same hash function, and compare what the hash function spits out to what it has on file. If they match, the password is deemed correct. I should also note that, while extremely unlikely for something as short as a password, it is possible for two different passwords to hash to the same value.
How hashed passwords are compromised
Obtaining the password file simplifies things for an attacker greatly. Even though he likely can’t reverse the hash and obtain the plain text passwords, he might choose to use a fairly simple way to restore many of those passwords. The method is known as a dictionary attack. Most people use regular words for a password. Sometimes they change a letter to a number. Think “0” instead of “o” or “3” instead of “e,” for example. Another method is simply adding a number on the end of the password. Such “tricks” will satisfy the software telling you that you must use a number in your password. However, the bad guys and hackers know those tricks too so they add those variants in their dictionary.
Once the bad guys have their dictionary (and they already do), all they do is run every single password possibility in the dictionary through the same hash function to see if any “coincidences” occur. Namely, if anything gives the same hash value as found in the password file. While these attempts are not 100% guaranteed to match the original unhashed password, they will 100% work as the correct password on that system.
Now, if the system doesn’t do more to protect the passwords, the attackers need not even run these attacks after they have the password file. They can simply generate lists of passwords and hashes (perhaps several with each using a different hashing function) ahead of time. Then, whenever they compromise a system, all they need to do is compare the lists to the password file. Since searching a file, even a large one, is much faster than computing the hashes, using a “dictionary” of common passwords speeds up the attack a great deal.
Fortunately, most password systems use other means to further protect the passwords. One method is called “salt”. A “salt” method adds few random characters to the password before hashing it. Doing so produces a totally different hash than it would without the “salt”. Salt can be as simple as adding a couple of characters (chosen randomly by the system when the password is created) to the front or back of the password, then hashing that. Those characters are then stored in plain text in the password file.
Adding “salt” means that, rather than simply creating a dictionary of all the most common passwords and their hashes, the bad guy(s) must work harder. He must steal the password file first and THEN try the whole dictionary attack on each and every password in turn. Also, he must actually compute each hash for each attempt.
You might think that the attacker could just generate a dictionary where each common password has all of the combinations of salt as well. He COULD, but just adding one character of salt would make the the dictionary 94 times bigger if the salt is limited to characters on a standard U.S. keyboard. Of course with two characters of salt, the dictionary is 8,836 times larger, and something like eight characters can make it more than 6 quadrillion times larger.
These days the suggestion seems to be to use a minimum of 32 characters, which would make such a password dictionary 1.38×1063 times larger. Of course all of this becomes larger still if the salt includes characters not found on a standard U.S. keyboard. Just think of how much effort it requires to complete a dictionary with so many possibilities. Is it possible? Yes. Is it efficient? Probably not. Will it take WAY too long? Yes.
How long does it take to crack a password?
Unfortunately, the answer is “not long” if your password is weak. If there is no “salt,” a hacker could pretty much instantly compromise all the weak passwords in a password database with a previously generated password dictionary.
With “salt,” the hacker must check each password individually. However, depending on the specific hash function, a single system with a high-end video card can check anywhere from several tens of thousands to a few hundred billion hashes per second. Using a highly distributed system with multiple computers and multiple video cards, that number can go up a lot.
Of course, these numbers are only increasing because the overall speed of computers doubles approximately every 18 months for the last few decades. Should this trend ever peter out, then the password compromising hacking will slow with it.
Password Strength
So, a bad guy can potentially try several hundred billion passwords per second. Your next question might be just how long would it take to crack yours? Are your passwords strong enough to withstand the attack?
Password length is a major key in password strength. In general the longer the password the stronger. A hacker can crack a 4-character password of any type pretty much instantly. However, such a character length is a great example to examine the ease of cracking passwords in general. Take this chart below.
| Password Type | Possible Characters | 4 Characters | 5 Characters | 6 Characters |
| Numbers only | 10 | 10,000 | 100,000 | 1,000,000 |
| Lower Case Letters | 26 | 156,976 | 11,881,376 | 308,915,776 |
| Letters & Numbers | 36 | 1,679,616 | 60,466,176 | 2,176,782,336 |
| Upper & Lower Case Letters | 52 | 7,311,616 | 380,204,032 | 19,770,609,664 |
| Upper and Lower Case Plus Numbers | 62 | 14,776,336 | 916,132,832 | 56,800,235,584 |
| Upper & Lower Case, Numbers, & Symbols | 94 | 78,074,896 | 7,339,040,224 | 689,869,781,056 |
From this chart, we can clearly see there are two factors to increased password security: greater overall length and using a wider variety of characters.
So how long does your password need to be? If you are using a good randomly generated password with upper and lower case letters and numbers as well as symbols, you can make it nearly uncrackable with at least 10 random characters, though at least 12 would be better. If you want a password you can remember (ie. something not totally random), 16-20 characters is a much better length.
The Risks of Password Reuse
Up until now, we’ve been talking about having your password compromised on a single service (think website). However, almost nobody ever uses a single service. So, what do you do about the 50 or so websites or other services you’ve signed up for?
Now, let’s assume you have some good passwords. Even good passwords are sometimes compromised. That’s why reusing passwords is such a problem. If the bad guys crack your password, they can try other sites to see if you reused that password. If only your Netflix account is compromised, there is little someone can do to you overall. But if you’ve used the same password for your banking, then suddenly the bad guy also has your banking password. It can be very risky to reuse passwords.
Keeping passwords safe is getting complicated
At this point, things are getting complicated for you. I’ve told you that you need about 50 or so unique passwords, each 20 or so random characters long. That’s an awful lot to keep track of and everybody knows you aren’t supposed to write them down. How can you possibly remember them all? There are a number of things you can do.
Firstly, writing down passwords isn’t as bad as is traditionally believed. If you take care of your password list and secure it as you would other physical valuables, it can be relatively secure. The problem with writing down passwords happens when someone scribes a password on a sticky note and leaves it on the monitor. When I worked for a university’s tech support department, many of the techs knew dozens of professors’ passwords for no other reason than the tech needed to go fix something and found the password on the monitor.
Of course, there are more convenient ways.
There are a number of password managers out there. With a good password manager, you can store all of your passwords and more. Then you need only remember a single password. You can even make the password much longer to help make it harder to guess.
There are a couple of different types of password managers. You can have offline, stand-alone, password managers, and online password managers that allow you to access your passwords anywhere. Many web browsers have built in password managers as well, and the browser based ones can save either locally or into the cloud, if you have an account with their cloud services.
Each has advantages. If you use an online password manager, you can access your passwords from any and all of your devices. You can also log in to your password manager on any other device and access your passwords there too. You can access any of your accounts from anywhere. The disadvantage is obvious. If your password to your online password manager is compromised, EVERY single password you have is compromised. You must trust whatever company provides it to not only avoid doing something stupid, but also to not sell you out for some other benefit.
On the other hand, an offline password manager is much more difficult to compromise remotely, although, it IS possible. First, the bad guys would need to compromise your computer and then compromise the password manager from there. So it is somewhat more difficult and would need to target you personally rather than simply grabbing the password file with millions of passwords and seeing who they get.
Generating secure and easy-to-remember passwords
The next thing you can do is actually use words for your passwords. I know we just spent quite a bit of time talking about the danger of using dictionary words. It’s true. Using dictionary words massively shortens the effective length of the password. The simple answer to that is to use several words. If you pick those words randomly, you make your password stronger overall.
Diceware is an example of a good way to pick dictionary words. Using Diceware, you roll five dice and look up that number in a specially created dictionary. This step gives you a specific random word. You repeat the process several times to collect five or six words, or even more. The net result gives you about 25 or 30 characters and, instead of remembering 30 random characters, you only need to remember six or seven words instead. Much easier, right?
While the Diceware website has a lengthy and detailed description of how this is secure, we can shorten it a bit. To you it’s remembering six or so words. To the bad guys, it’s FAR more difficult to decode. If we look at the chart above, we can see that the more potential characters you use in a password, the harder it becomes to guess.
Diceware is the equivalent of having a 5 or 6 character password. But instead of having 94 possible characters on your own, you have 7776 possible characters using Diceware. This gives you a password length of about 20-30 characters if the bad guys don’t know you’re using Diceware. If they do know you’re using Diceware to generate your password from, then it’s still about 221,073,919,720,733,357,899,776 possible passwords to try. That’s an intimidating number. If hackers can try 500 billion passwords per second, they still currently require over 14,000 years to guess your password at current processing speeds, and you have a fairly easy-to-remember password.
Two-Factor or Multi-Factor Authentication
Two-factor authentication is one of the more recent attempts to increase password security. The idea is that you must authenticate access to your account using some other sort of device or account (think email). To make it work, you not only must have access to the initial account, but also some other account or device to confirm with. For example, when logging in, the server will send you an email or a text. Then, you must give the website the number which you just received via your confirmation path. There are a number of other methods but, for the time being, this seems to be the most common method.
Two-factor authentication will stop many remote attacks cold. I’ve personally seen many attempted illicit access attempts on some of my online accounts fail thanks to two-factor authentication. The bad guys can’t just grab a password and use it against you on a single site, particularly if you didn’t reuse passwords. However, it still doesn’t necessarily stop other attacks.
Modern devices manage to be major security holes. They often have password managers in them, so you need not always log in to your accounts. Your smartphone is very convenient. However, if lost, this same smartphone is a huge security risk for you.
Let’s imagine. Your bank offers two-factor authentication. In order to log in, first, you give your user name and password to the website. Then the bank texts you a verification number which you then provide to the website. Secure right? Not really.
First off, your phone will helpfully save the password for your bank in the phone. So, if you lose your phone, someone may take the opportunity to log directly into your bank. You already saved the password, so the bad guy is past the first hurdle. Of course, the second factor should stop him cold. Nope. The bank helpfully texts a verification number to your phone: the phone he already has. Bang. He’s into your account and can do whatever he wants.
There are other methods of multi-factor authentication. Most claim they will require a second device or some sort of bio-metric authentication, like a fingerprint.
Multi-factor authentication increases the complexity of logging in, so it receives a lot of push-back from users. The problem is that, if it is easier for you to log in to your account, it is easier for a bad guy to compromise your account.
Conclusion
Keeping your account secure is harder than you think. You need to avoid reusing passwords and use longer passwords than may be convenient. With care and attention to this matter, your online accounts will likely remain uncompromised and your personal info will remain safe. It’s inconvenient, for sure. However, bad guys and hackers are simply that determined. Do your best to thwart them with good strong passwords and password management.