Passwords - A Brief Guide
Why we need passwords
We’re living in the age of information. Our phones, laptops and credit cards hold back a flood of information sought after by criminals. With this comes the need for security. A way for you to prove your identity before allowing access to useful information. In years past this was done solely in a physical way in the form of locks and keys. Now, however, the number of physical valuables you keep is strongly outweighed by the number of digital valuables held on a computer somewhere in the world. Be this account information, login details or even your very identity itself. Because of this, we rely on passwords. They are by far the most universally understood concept of security, “I know this combination of letters and numbers and you have no way of knowing them” (in theory) therefore if this is the only way to get to my information then you will be stuck but there are several weaknesses and problems with this system. If I put my password somewhere that’s not safe I’ve now voided any protection the password had. On the other hand, if I make the password is really secure (don’t write it down anywhere, make it really complicated, don’t allow any websites to store it etc.) I’ve just made it extremely inconvenient for me to get to my own information.
So how can someone get past this security, (I should mention I personally do not work in programming and there are certainly a large number of tools used for cracking not discussed here):
1. Brute force – A brute force attack involves s computer attempting every combination of a given set of variables, for example, lower case letters to the power of 8. This will start with aaaaaaaa, then aaaaaaab, then aaaaaaac etc. until it reaches zzzzzzzz. This system is fairly quick but can be slowed down dramatically by adding an extra number of characters.
2. Dictionary attack – For more complicated passwords computers attempt to guess certain things about how we choose passwords. By giving a computer a massive amount of words to try first it skips the processing power needed for every combination and jumps straight to our own lexicon. The word Password1, for example, is 9 characters and features a capital letter, lower-case letters and a number so in terms of brute force attacks it's extremely powerful. For a dictionary attack, however, this is probably right at the top of the list. Some specialists keep their own dictionaries with commonly found passwords and these are growing, being made public and outsmarting previous systems.
3. Rule sets – To combine a brute force style of attack with a dictionary attack, hackers can give their software a set of rules to follow during a dictionary attack such as adjusting letters to capitals, adding symbols to the start and end etc. This will slow them down somewhat but not to the extent of not being able to crack the password.
How do websites store your password?
Websites store your passwords so that when you log in they have something to compare the password to and check its correct. If you think this means anyone working on LinkedIn can see your LinkedIn password however you would be incorrect. Whats stored are hashed passwords rather than actual passwords in plain text, (this is where I sound like an idiot to anyone who knows programming). This, in essence, means the password is encrypted. They need to keep a list of passwords to function but they don’t want to know it as this is private information. The method of encryption changes as cracking software gets more sophisticated. At one stage the most common was MD5 which created a 128-bit hash. This has since become obsolete and any website still using it should upgrade their security, (there are actually a large number of websites still using this at the time of writing). A quick test you can run is to request a reminder of your password. If the website you’re testing emails you a plain text version of your password it means it has been stored in plain text is extremely vulnerable. When you log into a website that has hashed passwords stored the website runs a similar encryption on what you’ve just typed and if the 2 encrypted passwords match, you’re in.
Leaks
So you’ve definitely heard of websites leaking passwords. LinkedIn and Evernote to name a few have had massive leaks in recent years. As mentioned the information leaked isn’t actually the raw password so why worry? Well, when leaks like this happen all a hacker has to do is run brute force and dictionary attacks with various rule sets against the hash to find all the necessary matches. Not only does this allow the hacker into the original website, the passwords are then added to the dictionaries for attackers to use next time. In terms of game theory, this is huge but let's not get into this. No matter how a website stores a password it is a sought after by hackers and for this reason, password storage will always be vulnerable. This is why the way a website stores passwords are arguably just as important as how good the password is.
Cross-Platform hacking
Once a hacker has your password, the next thing they will try to do is to use that on your other platforms. If they have your LinkedIn password they will try this on Facebook or Amazon. Most websites only allow a certain number of attempts but if the hacker is using a botnet or similar software to trick the website along with running this against all of their cracked passwords it won't be long before the hacker has a series of accounts with matching passwords.
The best way to fight against this is to have a really strong system set up for your passwords so that if the websites hashes get leaked it will be too difficult for a hacker to crack and if it is cracked cant be used either on that website or others.
What makes a good password?
You will have read a large combination of necessary characters for a password. Some websites demand letters and numbers whereas some need a symbol, numbers, upper-case and lower-case letters and your favourite superheroes logo. Much as this ensures your password would be difficult to guess, it doesn’t necessarily make it dramatically more difficult for a computer to crack. What actually makes a password strong is its “entropy”, or better explained “the amount of actual information held within it”. Making a letter a capital might add an extra level of variation to the password but really it just gives a computer a fairly predictable adjustment to attempt. When we’re talking in terms of computer processing you’re adding an extra nanosecond if that to the time taken to crack your password.
How to make a good one:
1. Use a large number of characters. At least 9 but honestly id say 10 – 20. This will make a brute force attack difficult.
2. Use a combination of lower case, upper-case, symbols and numbers. This again will defend against a brute force attack. This won't necessarily help against a dictionary attack.
3. Use a phrase that forces words together such as horseatepinappleshoe. It makes no sense but mathematically 4 words work better than just varied text and symbols. XKCD demonstrates this brilliantly. When doing this the strength of the password is based on how common the words are.
4. When using symbols and numbers try and be unpredictable. Remember cracking software has rules set up already. Changing an “A” to an “@” or “L” to a “1” for example are predictable. So are adding numbers and symbols to the end or start of the password.
5. Have a different password for everything. Make sure if one gets hacked the others are safe.
6. Use a password system rather than just a good password.
7. Change the password regularly.
8. Do not use older and previously used passwords.
Why you need to change passwords regularly
As explained by the way passwords are stored its no surprise that it has to be long, unpredictable and different on each platform. But why change the password regularly? This is the nightmare faced by anyone who works in an office and for good reason, it's annoying. But there are a few reasons for it.
- The main reason is to make weak passwords stronger. An attacker is looking for the point of least resistance. That means if your password is impossible to crack but the person that sits beside you has password1234 then the strength of your password doesn’t matter. Even if by changing passwords regularly causes yours to become slightly weaker as you need to remember it, the weakest passwords are made slightly stronger. Your company’s security is only as strong as the weakest point of entry.
- On top of this as mentioned the systems used to store and encrypt passwords are ever becoming redundant. Its safe to assume that any password chosen over the past 20 years is now in a dictionary of previously cracked passwords by now.
Password systems
A password system is infinitely better than just a good password. Rather than thinking of a word you put together a series of rules that you and you alone know. In one example I saw researching the presenter of the video used a system where he began with the first letter of the U.S presidents surname, “W, A, J” etc. He then changed it to a capital or lower case based on if the person was a republican or democrat. He then added a number which happened to be the years in service. This is a great system (but don’t use this as having mentioned in the video and here it is no doubt any longer viable). Make this personal but also not something someone can guess.
Password Managers
By now the realization that passwords are flawed should be kicking in. Not only are they by design difficult for people to think of and remember but they’re also simple for computers to crack. Even by following all of the tips on this article and others in regards to making good passwords its likely you’ll never remember most of them or the ones you do remember and think are original will have already been thought of, cracked and stored somewhere on a dictionary. There is however hope.
Password managers are a sophisticated piece of software that store all your passwords in one place. This might make you nervous but it shouldn’t. A password manager swaps you remembering a series of good passwords for you remembering 1 really good password. Some people reading may believe they have already done this by keeping their passwords written down or copied to a website somewhere. This is not good if the place is not designed for this function for a number of reasons. If you keep them on a website and the website's password is really good, remember most websites store your password in a way that’s not difficult to unencrypt. So its really only as good as the website. Similarly, if this is written down you may lose the book or get robbed which is always a concern.
Password managers work for a number of reasons:
1. They create passwords for you that are impossible to guess. zAaA3vVOiu5dgKU#P for example.
2. They allow you to autofill and remember these passwords on secure devices.
3. They allow you to keep passwords separate for each platform with no extra effort.
4. Some do not store passwords at all and the ones that do use extreme levels of encryption.
5. It's their job to keep you secure. Facebook, LinkedIn and Google no doubt have extreme resources dedicated to security however that is not their main focus. Resources are spread out to more profitable areas also. A company whose sole focus is on security will be much more reliable.
6. If something goes wrong they tell you.
2 Factor Authentication
At some point, it is safe to assume that all security systems can and will fail at some point. Knowing this allows us to add an extra layer of security in the event of this happening.
2 Factor authentication is essentially having 1 extra step in place to prove we are whom we say we are before something is allowed to happen. There are some multi-factor authentication systems that involve several extra steps but 2 Factor is the most common for now.
This form of identification is broken up into:
-Something we know – Passwords, mother maiden name, date of birth etc.
-Something we have – Key, phone, device etc.
-Something we are – Biometrics, thumbprints, face recognition etc.
Assuming someone has cracked your password and is attempting to log into your Facebook profile, a password alone gives them access. If however entry onto your profile relies on a security code sent to your phone it greatly reduces the chances of them getting access. The hacker would have to have your phone, along with the security which that entails, along with the passwords for the profiles and all this before you’ve been able to take any remedial action and prevent the hack.
Banks will often text you a code before allowing payments of large amounts to be sent. Other banks will give you a device which through some means of security will give you a code such as a fob that generates an ever-changing code when you type in your pin or a card reader which needs your debit card and pin before displaying a number.
Security in this area is getting more and more advanced with some things needing a fingerprint or face scan as the second factor of authentication such as apple or google pay.
What if it fails
As mentioned all security systems will fail. Whether you cant get past your own security or someone other than yourself can get past your security.
This is where we get into the balance between convenience and security from the perspective of companies. Every company has a level of acceptable risk. This is why a password manager is better than an average website for storing passwords because a password managers level of acceptable risk will be extremely high whereas a different company may allow more fraud to take place as weaker security creates a more convenient user experience.
Banks take this particularly far as they need customers to function but are at all times under attack.
In the case of a bank, you have to understand you having access to funds means others do too. A bank could keep your money in a safe with no opening in a secure location which will be secure but you won't have access to money when you need it. Broadly speaking, and all banks are different, if you keep your details safe in regards to the policies set by your bank, they will refund you for any money lost. This is not guaranteed. Some banks need proof you weren’t at fault. If you’ve given your pin number to someone (even someone you trust and know hasn’t used it) for example your protection is now void. Even if that person didn’t take the money you’ve broken the contract set by the bank in regards to your security. Credit cards offer a much larger level of protection than debit cards but as I'm not a financial advisor I cant tell you whom to go with and when this is and isn’t the case. These policies are always changing.
In regards to password managers the more difficult the encryption that stores your password the more difficult it will be to retrieve it if forgotten. Similarly, in some legal cases, companies are forced to give customers passwords away if requested. To get around this some websites do not keep a copy of your password, however, this means if you forget your password you’re screwed.
When discussing companies like Equifax or LinkedIn it's important to note how long after a breach it takes a company to disclose the breach and allow you to fix this. Almost all of the password manager companies I researched informed all their customers immediately if they had a breach whereas Equifax took months. Be wary of where the weak points are and the result if it goes wrong.
Summary
Understand passwords are outdated, terrible for humans to create and remember, easy for a computer to crack and in terms of authentication probably the worst for the balance between convenience and security. Buuuuuuuuuuut they are not going away any time soon. People rely on them too heavily to change and the other systems of authentication are just not as readily available. With this in mind, you have to understand how security systems work and decide how secure you want to be. Do you want to set yourself up with security that is uncrackable but impossible to use? Or do you lean more towards ease of use? (Please also see what actual professionals say on the subject before you make any decisions).
Thanks for reading
- Ryan
https://www.youtube.com/watch?v=u-yuSalHQhw&t=983s
- Image Copyright XKCD