The "Fast Lane" Answer
A password is a digital key that helps prevent unauthorized access, usually to computer-based systems. It lets you in, while keeping out those who don't know the password, like the muscle-bound bouncer at a nice club. In this scenario, you're always the VIP, and you always have access. Just like a real club, though, there is always a way (or ways) for unwanted guests to sneak in.
Password-based security has seen its share of problems from the very beginning. Hackers have been getting into other people's stuff for years. But the main problem lies not in availability of a solution, but in correct implementation of one. It's not much help to have an industrial-grade, titanium, pick-proof lock if you don't use it.
While there's not a lot you can do about the security practices of a particular website, you can do something about the strength and security of your keys (i.e. passwords). Here are a few helpful dos and don'ts:
- Repeating passwords you use with other accounts
- Using common passwords, including popular words, phrases, or substitutions
- Passwords that include personal information
- Leaving your password written down somewhere "convenient," like on a sticky note attached to your computer monitor
- Websites that return your actual password when you use the "forgot password" button i.e., any place that is storing your password the way you gave it to them is not doing you any favors (we’ll explain below)
- Longer passwords
- Random or uncommon passwords
- A reliable and secure password manager (see our list of examples down below)
- Different passwords for every account
- Either passwords that are easy to remember, or that can be written down and kept in a safe place (like your wallet)
The "Scenic Route" Answer
It's a pretty universal concept that if there's something valuable, someone will want to steal it. You may be able to get away with leaving your car and your home unlocked overnight in a really small town, but that's not the case in a bigger city. The more people who could potentially access the valuable item, the more security it needs. Since the internet is essentially just one, giant, digital city where everyone's within driving distance of your home(page), valuables on the net need constant security.
So how do we achieve that security? Simple. We do the same thing we do to keep physical things safe: we lock it up.
For better or for worse, if a hacker wants your stuff, they have to somehow address the problem that "lock" presents. There are ways around the lock, though, so dealing with hacker depends on the methods they are using. As a result, we'll be alternating the discussion here between what hackers do and what the industry does to fight back. Once you have a good understanding of the war that is being fought, we'll sum things up and arm you with the weapons you'll need to fight the battles that are relevant to you.
Stealing Your Password
If someone only wants your password, there are a number of ways to get it. If that hacker doesn't have direct access to your machine, the two most common methods they might use to access your profiles are the ones listed below.
"We can do this the easy way, or the hard way," is a phrase that applies here. Just like the name implies, "brute force" password cracking is the "hard way." This involves exhausting every possible combination of characters that the password could be. This isn't usually done by hand. Instead, programs are designed and run on computers specialized to do jobs just like this. Really good brute force computers can run tens of billions of guesses a second.
A dictionary is really just a collection of words. A dictionary attack is when you take those words and use them as guesses for someone's password. Typically, dictionary attacks use lists of potential passwords, starting with dictionary words (hence the name). And not just words from one language; these things tend to be multilingual. From there, they include common word combinations; nursery rhymes, cliches, lines from literature, song lyrics, etc..
Then they add common numbers and symbols, and that goes for substitutions as well. Then, they include passwords that have been used, or are already in use. Once all of that is covered, they toss in potential passwords: combinations of words, numbers, and symbols that seem likely. These things are comprehensive—they have to be, to be effective. And they are effective.
Unlike brute force attacks, dictionary attacks don't aim at the password so much as they aim at the mind that created it. Humans aren't very good at "random", so the passwords we come up with aren't random either. We come up with things that make sense to us, things we can remember. And it is this predictability that dictionary attacks exploit.
Hackers are well aware that, given the choice, we're not going to use a random string like
klInfEM83Dmspz#0g. We'll probably use something like the name of our favorite character, from our favorite movie ("0B1-k3nob1"). That means hackers both dramatically increase their chances of cracking our passwords and reduce the time it takes if, for instance, they include a comprehensive list of popular movie character names to use as guesses.
Almost always, a hacker will use a dictionary attack first, following up with brute force only once the dictionary is exhausted.
It's not often that a hacker is only after one password. Typically, they're after the big score. They don't just want access to your stuff, they want access to everybody's stuff. Trying to login through the front door in this case isn’t a feasible option for several reasons.
First, it takes longer. You're stuck running your password cracking programs on the login page over and over again. This gets worse if there's any sort of sluggishness in the internet connection, or in the website server's speed as it processes login requests. Additionally, many websites now lock users out after multiple failed login attempts. Setting a limit at ten login attempts really shuts hackers down before they can get warmed up (remember the "tens of billions" attempts that we mentioned to you earlier?).
And last but not least, if you're trying to get the password for a random stranger, chances are, you're going to need their username, in addition to getting their password. Their solution here is to just reach into the cookie jar and take what you want.
Often, websites will spent a great deal of effort fortifying the front door of the website (the login page), but will neglect side and rear entrances, so to speak. A talented hacker can often find holes in the code, getting into the website's files directly, and stealing the one that has all the user logins. Once he's in possession of all the usernames and passwords, no more hacking is necessary. Just simply plug in the username and password you need, and hit enter.
Most often, when you hear of electronic security breaches, this is what has happened—login information has been stolen in order to gain access to user accounts.
Cryptography and Password Security
Obviously, we can't let the hackers just waltz in and take our stuff. So in order to defend ourselves, we've come up with a couple of tricks. Now on the individual front, longer passwords will help deal with brute force attacks, and more unique passwords will help deal with dictionary attacks. We'll discuss the how and why of that later. Right now, it's important to know what websites are doing to deal with those pesky security breaches.
When you're protecting a physical object (like, say, a bike) the important detail is not losing the object. So security focuses on retention. Locking the bike to a post, bringing it in the house, or putting it in the shed, are all methods of hiding the object and denying access to it. When you're trying to protect your information, security shifts some of its focus from denying access to running interference—keeping the thief from being able to use what he steals.
A common method for this (and one that's used frequently in internet communication) is encryption. Encryption is when information or data is taken and turn it into secret agent code, and only those with the proper decoder ring can read it. Imagine you want to protect your bike, and you know for sure people are going to try to steal it. People like "Steve", and if you knew Steve, you wouldn't like him much.
So you to protect your bike, you don't just lock it up, you also remove one of the tires. You not only limit access to the bike, you make it useless in the event that it is stolen.
The problem with encryption is that it's designed to be undone. Obviously, you want to be able to use your bike again, so you only removed the tire. But removing the tire is something that can be reversed by anyone who has a tire of the corresponding size (in cryptography, we'd call that an "encryption key").
That same ease of use that makes the bike easy for you to reassemble also means that all Steve needs to do is bring a tire with him. Suddenly, he's stealing your bike and enjoying it, all despite your efforts.
The Hash Function
So let's say you really don't like thieves like Steve. Enough that you don't even care about the bike anymore; you just don't want someone else to have it. So you disassemble it. Then you reassemble it...as abstract, postmodern art. Then you lock it up. Now, when Steve and his buddies come, instead of finding a bike to steal they'll see something only Dr. Frankenstein could appreciate.
This metaphor represents what’s called a "hash function," or simply "hashing." Hashing is when you take a piece of information (like a password) and process it with some very complicated math. It's used for a lot of different things, but the use of a "cryptographic hash" has become pretty widespread in keeping information secret.
The advantage of hashes is this: hashing is a one-way function. Once you process the data, there's no getting it back. It's done by using something called "modular arithmetic," which is like division, but different. In division, you take a number like 55, insert a number like 10 into it as many times as possible, and you end up with the result of "55 ÷ 10 = 5 remainder 5." In modular arithmetic, you do the same thing, but when you reach the result you're only concerned with the remainder, 5.
Unlike division, which can be reversed (if you know the result of 5.5, and that the number was divided by 10, you can multiply the former by the latter, and get 55), modding a number only leaves you with the remainder, which could be produced by any number of inputs. Mod 10 could produce a remainder of 5 from 55, 105, or 9005, and so on.
Like mixing paint, the byproduct of the process is one of indeterminate sources. Any number of inputs could have sired the confusing result you receive on the other end. That’s the beauty of using hashing as a tool of cryptographic security.
Now you're probably thinking, "What good is that? If it's irrevocably changed, how do I use it?" Well, hashes are typically used not for keeping data that needs to be reused, but instead for altering or destroying data. You use it if you don't need the data back, but don't want anyone else to have it.
Passwords are an example. If a website stores a password, that password can be stolen. But, if a website hashes the password first and store the hash value instead of the original, then even if it’s stolen it's unidentifiable. Even if a hacker manages to steal it, all they get is "8743b52063cd84097a65d1633f5c74f5." There's no way for them to know that your password is really "mykittysnameispurrsula."
"But if my password is scrambled by hashing it, how am I still able to log in?" Easy. When you login, a website will hash the password you enter all over again. Then they compared the hash value of the password you just entered to the hash value they have on file. If those two hashes match, they let you in. There's a variety of methods a website might use for hashing, but once they pick a system, they are consistent. That means that "mykittysnameispurrsula" will hash to the same value every time.
Be warned, not all websites hash the passwords that are entered into them. You can tell the difference pretty easily—if you hit "forgot password" and instead of giving you your original one, a website gives you a temporary password and tells you to reset it, they've only kept the hash. If the website sends you the actual password you entered, they are not hashing. Stay clear of websites that store your password in plaintext (meaning without hashing or encrypting it); you'll be in rough shape if anyone ever breaches their security.
Hashing and Rainbow Tables
Ever tried to keep out a swarm of ants? They're tenacious. Every time you close a hole, or spray some bug killer, they just find a new way in. Eventually, you break down and call the exterminator to end the problem once and for all. You can’t exactly call Terminex on an annoying human being, even if they’re a hacker.
Still, the bug thing is a good analogy for how indefatigable and insidious a hacker's intrusion attempts can be.
Even in the face of added security and password hashing, hackers can still find a way. You see, a hash's greatest strength is also its greatest weakness: if the resulting "paint color" could come from any number of sources, then there is more than one source that will get you in. Hackers don't necessarily have to guess your password, they just have to find a password that produces the same hash. This is called a "collision".
If a hacker manages to breach security and steal the file containing the password hashes, all they have is hashes. But they also have all the time in the world to try and crack the passwords. And while they can't simply reverse what was done to the password, as you could with encryption, what they can do is try to reproduce the hash value. If they know the hash function that was used to create a password hash, they can start plugging things into that function, until they find something that produces the same hash as your password.
What's worse, most passwords are things that are common and make sense, so dictionary attacks are easier. So try to minimize password recycling (probably one of the few times you'll be told not to recycle). Otherwise, when they crack your password, they'll potentially have access to other profiles you use that password with, like Facebook, or your bank account.
How, exactly, do they beat the hash, you ask? Well, they can do it like a normal dictionary attack, plugging things in one at a time, and seeing what sticks. But most serious hackers will construct what's called a "rainbow table."
Rainbow tables are pre-hashed lists. They're composed of the kinds of words that normally go into a dictionary attack (common words from multiple languages, popular passwords, regularly used numbers/symbols/substitutions/abbreviations, and so forth). Then, those entries are hashed, prior to stealing the file from the website. That way, even before they begin cracking, the hackers have an extensive list of all the hash values of all the most common possibilities. Then, all they have to do is compare. If they find a match, bingo, they have your password.
All passwords that are too short are potential victims of a rainbow table. The shorter your password, the more likely it is that it's on their table. On the flip side, since the tables can only calculate out so far and hold so much, a long password (even if it uses common words) can serve you better than something short. A longer password also helps because when the rainbow table fails, the hacker is likely to attempt a brute force attack—a tactic that works really well on very short passwords, but not so well on really long ones.
Security Seasonings: Salts and Peppers
In response to things like rainbow tables, there are a couple of things that can be added to the use of a hash to make it even stronger. They're called "salts" and "peppers." Because, hey, who doesn't like a properly seasoned hash?
Salts are additional values that are added to your password before it is hashed. Sometimes, they are hashes of things like the email of the user, though random values are usually a better alternative. By making this addition, the resulting hash value is altered, obfuscating the hash and making it even harder to crack. The hacker not only needs to make a table or generator to test every possibility for the primary hash, it has to test every password possibility paired with every salt possibility.
This becomes problematic for the hacker, and beyond a certain salt length their rainbow tables just can't hold all of the information. This stops the hacks in their tracks, so to speak. Sometimes, though, even salts aren't enough, so defending the data means making the hash even spicier.
Peppers are similar to salts; they are hash values that are generated when the password is created. Unlike salts, however, peppers are created randomly, i.e., they're not generated from a key. A salt might be made by hashing the email of the user. A pepper is hashed from a random key, and that key isn't even stored with the result information, like the salt is.
In other words when a salt is generated, the website stores that information, and when you go to login, it performs the hash all over again, checking the current value against the one on file. When a pepper is created, it's created randomly, then tacked on to the rest of the hash value, immediately forgetting what it was hashed from.
In case you're wondering, you're still able to access your account because peppers are generated from a much smaller set of possibilities. Usually this is one byte: 256 possible values. That means for someone with the correct login information, there's only an additional 255 values a computer has to check to get you in, effectively child's play to the machine.
That may not seem like much security to add, but if there's 50 million possibilities (and that’s very conservative) for the hash key, multiplied by 20 million possibilities for the salt key, then multiplying by 256 options turns 1 billion into 256 billion. Meanwhile, if you have the right password and email, then 256 billion possibilities suddenly becomes 256. A quick check eliminates 255 variables, leaving the login system with the correct pepper, and the user is logged in.
Increasing Password Strength: Key Stretching
There's something else that a website can do to turn the odds in their favor. It's called "key stretching." Key stretching is a methodology that "stretches" a short or weak key, and makes it harder to crack. Technically speaking, under this definition, salts and peppers count, but they're unique cases and we've already covered them, so we'll focus on a different kind of stretching.
Key stretching strengthens keys by making the cracking process take longer. Now, we don't mean just making it harder to crack. We mean actually stretching the process of checking each individual crack attempt. A typical example of key stretching is when a cryptographic hash function is repetitively applied to the key, meaning that each entry must be processed that many times.
A normal user doesn't have to wait long—even if verifying the password takes five seconds, it's the right password, so it only has to be done once. And what's five seconds to us? At worst, we grumble a bit and hit the refresh button. But someone attempting a brute force attack where every possible option is attempted in an effort to find the right one? This can make things take a long time. Even rainbow tables will struggle against key stretching—not because cracking isn't possible, but because it takes a painfully long time.
Repetitive hash iterations, used in conjunction with salts and peppers, can be a formidable Force for good in the galaxy.
Problems with Password Security
The biggest problem in keeping passwords secure is that many websites don't use appropriate security measures. Not every website uses hashes, and even fewer salt or pepper the hash. This leaves your passwords vulnerable (and unseasoned).
That's not all. Beyond being negligent with their security, websites are often openly sabotaging the security of your passwords.
Anytime website requires you to use certain characters in your password, they are limiting the possibilities for your password. Instead of allowing you to use what makes sense to you (which may very well be unique enough to fool dictionary attacks and rainbow tables), they force you to modify your password in predictable ways. Here’s what those restrictions produce:
- Numbers (most commonly "1") at the beginning or end of the password
- Capitalized letters at the beginning of the password
- Common substitutions (@=a, 3=e, 1=i, $=s, etc.)
And many more. These are predictable patterns. And if it's a predictable pattern, a dictionary attack can guess it.
Moreover, if you're forced to bow to some of these silly restrictions, odds are you going to make a couple of faux paxs that will really hurt you. First, you'll tend to make dumbed down passwords, since you're so frustrated with the system. These simpler passwords are, wouldn't you know it, easier to guess.
You're also more likely to recycle passwords, since you don't want to have to deal with coming up with more than one ridiculous password. Each time you run into another one of these, you'll be strongly tempted to just reuse a password that fits the bill that you’ve already memorized, rather than come up with a new one.
The worst part is, it doesn’t even really enhance the security of your password.
It's pretty simple: each character adds as much variation as there are options of that kind. There are 10 digits, there are 26 letters. Ergo, if you add a number you are multiplying complexity of the password by a factor of ten. If you add an extra letter, you're multiplying by a factor of 26. You will always get the most complexity by adding one more letter.
How to Make Passwords Hard to Crack
We mentioned already that the primary two methods of password cracking are brute force and dictionary attacks. Defending against them requires different things, and that's based on what hackers are doing to try and break through.
Brute-force cracking checks every character with every possibility until it's cracked. It starts with "a" and goes all the way to "zzzzzzzzzzz" (and so on, plus all those pesky capitals, numbers, symbols, etc.). Because it's checking every possibility, it's obviously easier to deal with shorter passwords than it is to deal with longer ones. A password of "aa" will be guessed in in 26*26 tries, or 676. Even at something as low as 100 guesses a second, it would take the computer less than seven seconds to crack the password.
The answer? Have a longer password.
Expanding on our example, a password of "aaaaaaaaaaa" means a possible 3,670,344,486,987,776 (that's 3.6 quadrillion) attempts, with an average of about half that (1.8 quadrillion). That's much better than 676. And as we mentioned above, each character you add multiplies by the possible values in its set (ten numbers, 26 letters, "x" number of symbols, and so on). So by that logic, you'll gain more with one more letter, than with one more of anything else.
Dictionary attacks check likely answers, as opposed to every answer. Dictionary attacks try to think like a human, making attempts based on the kinds of passwords that humans predictably use. So what would be a clever password against a brute force attack (see the "a" passwords above) may not be a clever password to protect against dictionary attacks. Even when dealing with hashes, rainbow tables succeed by beating the human who set the password, not the algorithm that hashed it.
With a dictionary attack, the key is uniqueness. The less common or predictable the password, the better. Sometimes this is interpreted as "make a password that is a jumble of letters and symbols that's fairly long and makes no sense." This can create some of the same problems as password requirements. You simplify and make more predictable. You repeat passwords. You might even record the password somewhere, since you can’t remember a jumble of random characters.
If that somewhere is a piece of paper in your wallet, great! If it's a post-it note attached to your monitor, shame on you.
While these nonsense passwords technically work, you don't want to be caught making those resulting mistakes. So either make sure you’re using them right, or use something different, like in the comic above.
Using a random combination of words, or even a sufficiently long and unique phrase, can be as effective as the random jumble method. The secret is making sure it's longer, and it's unique. The longer and more unique you can make it, the more effective it will be. So include that word you made up in fifth grade. Or that magic word your seven-year-old invented. Add that one word in Hmong you know. If you google that word, and it doesn't come back in the search results, you’re on to something.
As a final note to those of you who mess with that encryption stuff we mentioned earlier, you need to be careful anytime passwords are used to generate cryptographic keys. Since there's often no randomizing variable between the password and the key used to decrypt information, it's a simple matter of checking possible passwords and seeing which one succeeds in decrypting the data.
A smarter method would be to process the password in some fashion (such as by hashing it), then using that altered and partially randomized value to encrypt the data. Either way, if encryption is somehow dependant on your password, make sure it’s a good one.
Managing Your Passwords
If you're feeling overwhelmed at this point, you should know that you don't have to fight these battles alone. There are tools that can help you make all of this happen. We're going to discuss two big ones here, to get you started. Both are tools for generating those passwords (coming up with a new one every time can be a pain, after all), and one of them even helps you keep track of them all. Between them, you should be able to find what you need to start building smart password security.
Dicewords is a name that's pretty self-explanatory. It's a method of password generation that, quite simply, uses dice rolls to pick words. It's all based on a six-sided die (called a d6). It gives it a couple of rolls, and then compares the result to a table of words, each with preassigned numbers. This randomizes the word-choosing process, enhancing the unpredictability of the password.
Typically, diceware use baselines of four or five-word passwords, with words averaging five letters, and never shorter than four letters. This gives an average of around 20 characters, and even when they’re entirely comprised of lower-case letters, that gives you a password entropy (an estimation of how difficult a password is to crack, corresponding to how many guesses it would take) that requires so many tries you need to use an "e" to write the number down.
Diceware is easy to find, and it's usually free. Even the xkcd comic above spawned a number of password generators that are free to use. You'll find they're remarkably easy to remember, and often, they're also easier to type in than the ones you're used to using.
Password managers are fun programs designed to keep all of your passwords in one place. They vary in their setup—some are programs you install on your computer, some are apps, some are web browser extensions, and the list goes on. All of them have the same purpose: to make sure you never forget a password again.
The system is pretty straightforward. First, you set up a profile by setting a master password. This one you have to provide yourself (maybe use diceware to generate one for you, or come up with your own; just don’t use a line from Shakespeare since famous quotes are easy to guess). Make sure it’s one you can remember, or one you can keep track of.
After you're inside the program, most password managers will let you set up login information for websites that you have a profile on. Some even have a function where they can login for you. You may never need to even know your passwords, just as long as you remember your master password that gives you access to the password manager.
With password managers, you can keep track of all those cumbersome passwords with ridiculous requirements. Or those usernames you created but only use once a year and keep forgetting. Depending on the program, you may even be able to finally keep track of those pesky PINs that you have to keep changing, because you can never remember them. The world is your oyster once you get a password manager involved.
Many password managers even let you generate secure, random passwords, so you don't even have to bother with diceware (though diceware is often what's used to generate the passwords). The point is, the whole reason behind a password manager is to leave you with only one password to generate and remember: the master password.
The following is a sampling of these delightful tools, that can be indispensible in helping you keep everything together:
- Sticky Password
You may feel like some of this information doesn't directly apply to you, but trust us, this is stuff you need to know. It wouldn't do any of us any real good for us to say "have longer passwords", unless you knew what was going on, and what was at stake. Hackers aren't breaking in through your login. They are using very advanced programs and some pretty impressive hardware to pull down a whole list of passwords, and cracking them all at once.
You need to be protecting yourself, because many websites won't do it for you, and those that do try to protect you can't do it perfectly. So here's the summation of best practices for passwords that you can use to protect your profiles online.Password Don'ts:
- Short passwords
- Predictable passwords (this includes popular, repetitious, or overly simple passwords)
- Passwords based on personal information
- Recycled passwords
- Passwords based on famous quotes, common phrases, or things popular or common
- Using websites that store your password in plaintext
- Leaving your password written somewhere that's easily accessible (that includes the drawer in your desk with the weak lock)
- Sharing your passwords with others
- Emailing or otherwise storing your password and login information in plaintext
- Using a password as the basis for an encryption key (especially if the password contains any of the above)
- Use longer passwords
- Use unique passwords
- As many separate passwords as possible
- Password managers
- Hashing, salts, peppers, and key stretching
These lists weren't meant to be comprehensive, but they were meant to help you tighten up your password security. This is serious business. You protect a lot of things with passwords: bank accounts, federal student aid, Amazon purchases, Twitter account, the list goes on. Bottom line, you can be saved from the Dark Side. And we can help.
Contact us if you have any questions about this, or if you want further advice on how to keep your passwords secure. We've got a crack team of developers on staff, and they know what it takes to keep things locked down.
So remember your training, and trust your feelings; follow this advice and soon enough people will say of you "The Password is strong with this one."