Generate & Manage Reasonably Secure Passwords
Passwords are required everywhere online. So many websites require some sort of log-in now that the average user is likely to have dozens, if not hundreds, of passwords. So, how do you keep track of so many? How do you keep them safe? Also, how do you decide on a secure password to start with? I hope to answer many of these questions here. But in order to do so, I must answer several you don’t already have. How are Passwords Compromised? Many people have the mistaken idea that a potential attacker gains access to your account by trying to log in and then guessing lots of passwords. While that does happen, such attacks usually come from an amateur trying to access a specific account. Most data compromises are far less personal. Thousands, even millions, of accounts can be compromised at once. Then the hacker(s) use that information in many ways, often selling it to individuals intending to commit identity theft. Most data breaches of passwords data occur en masse. When you try to log in to your account, it takes a certain amount of time. You must enter your username and password, then wait. There might be a captcha to prove you’re a human. All of this login process takes time. In addition, most systems will disable the account for at least a short time if there are too many failed log-ins. This makes the direct approach rather useless for someone wanting to sell your private data. There are other ways that passwords can be compromised. Some of these methods will be discussed later. However, the vast majority of password compromises come from compromised password databases on corporate sites. How are passwords stored? In order to understand how to create passwords, we first must understand how hackers compromise them. To do that, we must understand how passwords actually work. The simplest way to create and store a password is to keep it in plain text in a file somewhere. Then, when you type in your password, the system simply compares the contents of the password bar to the contents of the password file. Early passwords may have worked that way. However, it is an extremely insecure method of storing passwords. Anyone who gains access to the password storage file suddenly knows every password for every user on that system. Because of this liability, this method is a very bad way to store passwords. Of course, the system still needs a way to verify if the password you entered is the password set in the system. To accomplish this purpose, computer programmers created a little mathematical marvel called a hash. Hashing something is mathematically comparable to encrypting it (but not the same thing). Theoretically, you cannot undo a hash. Certain kinds of hashes (and there are many kinds) will take any input and spit out the same length of characters no matter what. Now, with a hashed password, the system doesn’t actually know what your password is. However, it can take your password attempt, run it through this same hash function, and compare what the hash function spits out to what it has on file. If they match, the password is deemed correct. I should also note that, while extremely unlikely for something as short as a password, it is possible for two different passwords to hash to the same value. How hashed passwords are compromised Obtaining the password file simplifies things for an attacker greatly. Even though he likely can’t reverse the hash and obtain the plain text passwords, he might choose to use a fairly simple way to restore many of those passwords. The method is known as a dictionary attack. Most people use regular words for a password. Sometimes they change a letter to a number. Think “0” instead of “o” or “3” instead of “e,” for example. Another method is simply adding a number on the end of the password. Such “tricks” will satisfy the software telling you that you must use a number in your password. However, the bad guys and hackers know those tricks too so they add those variants in their dictionary. Once the bad guys have their dictionary (and they already do), all they do is run every single password possibility in the dictionary through the same hash function to see if any “coincidences” occur. Namely, if anything gives the same hash value as found in the password file. While these attempts are not 100% guaranteed to match the original unhashed password, they will 100% work as the correct password on that system. Now, if the system doesn’t do more to protect the passwords, the attackers need not even run these attacks after they have the password file. They can simply generate lists of passwords and hashes (perhaps several with each using a different hashing function) ahead of time. Then, whenever they compromise a system, all they need to do is compare the lists to the password file. Since searching a file, even a large one, is much faster than computing the hashes, using a “dictionary” of common passwords speeds up the attack a great deal. Fortunately, most password systems use other means to further protect the passwords. One method is called “salt”. A “salt” method adds few random characters to the password before hashing it. Doing so produces a totally different hash than it would without the “salt”. Salt can be as simple as adding a couple of characters (chosen randomly by the system when the password is created) to the front or back of the password, then hashing that. Those characters are then stored in plain text in the password file. Adding “salt” means that, rather than simply creating a dictionary of all the most common passwords and their hashes, the bad guy(s) must work harder. He must steal the password file first and THEN try the whole dictionary attack on each and every password in turn. Also, he must actually compute each hash for each attempt. You might