Passwords And Their Security
This article is going to cover password security and why it's so important. I'll cover an introduction to password attacks people use to try and guess your passwords. Finally, I'll give a suggestion on how to protect yourself against these attacks.
Long and Complicated?
Many people often wonder why it's so necessary to have "long, complicated" passwords. Those same people may even wonder what that means exactly. And honestly, what it means has changed over time.
Why have we needed to create more and more complex passwords over time? Basically it comes down to the fact that computers have gotten faster. They're able to compute data at much greater speeds than previously, and in much smaller forms (think about how a smart phone is basically a computer that fits in your pocket). This means that attackers can utilize complex attacks without having to buy million dollar machines.
In the first big boom of consumers using computers, professionals suggested having a password of about 6 characters long, but all lowercase was fine. Some time passed and then we needed to add uppercase, numbers, and eventually special characters. This video by comedian Michael McIntyre can help explain the progression in more comedic way.
Basic Password Attacks
As computing power has become cheaper and cheaper, more and more methods of password attack types have developed as well. This also added to the need to make passwords more complicated. A method called brute force attack tells the computer to guess a person's password by guessing every possible combination. It might start at "aaaa" then progress to "aaab" then to "aaac" and so on. As you can imagine, it would take a while to do that. It would require thousands of guesses or even millions and billions if the password has more characters. As fast as computers are nowadays, they can churn out thousands of guesses in a fairly short amount of time.
Another method involves a pre-set list of words that the computer goes through guessing. We call this method a dictionary attack. This preset list of words not only focuses on actual dictionary words (hence the name), but it also goes through previously common passwords. Passwords like 1234, password, P@ssw0rd, and others would be included in these "dictionary" files because they have been proven to be quite commonly used by people.
Now, for both of these attacks, it requires quite a lot of computing process because the computer converts each password into a "hidden message" called a hash. A hash is basically a special set of numbers and/or characters where the hash value is always the same length of characters. Some hash algorithms that you may come across are MD5 and SHA256. Realistically with the two methods mentioned so far, "brute force" and "dictionary" attacks, the attacker's computer would be guessing the password and converting it into a hash (hidden message) and then attempting to use it or find a match. There's much more to it than what I've explained, but that's a very basc way of looking at it.
A More Complicated Attack - Rainbow Table
Once you understand the idea of a hash, there's another method attackers use called a rainbow table. This method of attack helps reduce the amount of computing (changing password guesses to hashes) by having a list of pre-calculated hashes to use. This allows for the attacker to have a file that has a much larger number of password guesses that their own computer doesn't need to calculate/compute. It allows them to make more guesses on your password in a shorter amount of time.
领英推荐
Timing
Sometimes it might be hard trying to figure out the length, combination, or necessary characters needed to make your password safe. There's actually a very helpful image that I came across which might help guide you with that. Here is the image.
As we can see from this diagram, having a password like paSswoRd is 8 characters long and has lower case and upper case letters. Based on the chart, an attacker would guess this password in just 3 hours. Keep in mind that computers continue to get faster each year, so these measurements may already be obsolete with the specifics. Regardless, it helps to get a guage of what formats are stronger.
Another aspect people struggle with, especially when using special characters like &, ;, ?, $, # is making a password that is memorable. Trying to remember several different passwords that look like Kas$230Lap@3 can be difficult and it tends to prompt people to write their passwords down, which isn't a great idea either.
Possible Solutions
For websites, apps, or other tools that don't specifically require a special character, try simply using a long password with lower case, upper case, and numbers. **Don't specifically use the example I'm about to give** You could make a password using some sort of phrase that will be easier to remember. A password like WeArePeople2020 would fulfill those requirements. A password like this would be fairly easy to remember as it mimics a phrase or sentence. It is exactly 15 characters and uses lower case, upper case, and numbers. According to the password chart shown previously, it would take an attacker roughly 97 billion years to crack this password. I don't know any attacker willing to wait quite that long.
With passphrases as your password, please make sure to not use something that is very famous like "ImALittleTeapot4." Famous sayings or passphrases could potentially be part of a dictionary file or rainbow table as attackers could be hoping somebody uses them.
Another possibility is to use a password manager. Using a password manager, which is another application, you'd be able to generate lots of various passwords that look like the previous example (Kas$230Lap@3) and would store which account it belongs to for you. In some situations you may still need to remember passwords for particular websites, as I've seen a handful that use a sort of pop-up window to input the username and password and some password managers aren't able to see or manipulate them on your behalf. Try to test a few out and see which one you prefer.
I hope this has helped shed some light on the idea of long complex passwords and how it increases password security. Please feel free to do more research on the topic if anything was unclear or you want more detail. Stay safe!