Ah, passwords. Frustrating to remember, bothersome to recover, yet a bit too simple for all of your privacy. Although alternatives are being explored, passwords are here to stay for now. So let’s talk about how to make the most out them.
The Tale of Passwords
When you sign up for service like Facebook with an email and password, it doesn’t actually store your password as is (called plaintext). Yet, the site somehow knows when you enter an incorrect password the next time you attempt a login. What the company keeps is a hash of your password. A hash function is an irreversible, one-way transformation such that the same input always produces the same output. For example, the remainder operation is a very simple hash function: 12 divided by 10 always has remainder 2, but when only given 2, you cannot know whether the starting number was a 12. If you were thinking that there are infinite numbers that have remainder 2 when divided by 10 (2, 12, 22, etc), you’re absolutely correct! This is true for practical hash functions, too. Because there’s an infinite number of possible passwords, and hashes are fixed lengths, passwords of two different users might produce the same hash (called a collision). But, hash functions are designed to minimize collisions, and password hashes are associated with the users’ emails, so we can consider hashes as unique for each password. Thus, a service can verify a login by hashing the given password, and comparing it to the stored one.
Obviously, the hash functions used on passwords are obviously much more complex than a remainder operation. There are competitions for computer security, and researchers dedicate years to strengthening these algorithms. It’s incredibly difficult for an attacker to crack any single password without other hints or foreknowledge. Great! So we can all choose a password, slap it on, and move on. What’s the problem?
Since an attacker cannot reverse a hash into the original password, the only way is to try countless inputs to see which one produces the same hash. The first and most naive approach is a brute force attack that simply tries them all. For a typical four number combination lock, the equivalent is trying 0000, 0001, 0002, and so on to 9999. Such an approach is actually not too bad for password types with fewer possible inputs, assuming the attacker has infinite attempts without penalties (e.g. phone unlock attempt).
But, most websites require more than just four numbers, and attackers have other tricks up their sleeves. In a dictionary attack, attackers try more educated guesses by making a dictionary with common and likely passwords users might use. If you’ve ever felt clever about coming up with a password along the lines of “password,” “0000,” or “ “ (space), the slightly good news is that you’re not alone; the bad news is that you’re not alone. According the Huffington Post, the most popular password of 2016 was “123456,” and you can be assured that one will be on the attacker’s list. It’s in your best interest to make your passwords completely random and therefore, unguessable.
Widely used, strong hashing algorithms are all open sourced and publicly available, so that they can be verified and tested as trustworthy by the community. However, this also means that malicious actors also have access to them. A rainbow table attack precompiles a massive table of passwords and their hashes, and compare those against users’ password hashes to find a match.
1. Make passwords completely random!
Myth Busters: "Complex” Passwords
We’ve all seen them: password must be at least 8 characters in length, include an uppercase letter, blah blah blah. To show why these types of requirements are not as desirable as you might initially think, let’s play a small game. You’re picking any number of cards with repeats from a deck of cards, and I’m trying to guess the cards in the correct order you chose. Except, the dealer says you must pick at least 8 cards, of which one is face card, one is digit, and is one spade suite. Wait, did that make the guessing game any harder for me? It actually made it easier, because now I can skip all the permutations from 1 to 7 cards, and ones without a face, digit, or spade card.
Similarly, password restrictions help attackers by shrinking the possible input space. These rules seem to make passwords safer by making them harder for people to remember. Unfortunately, computers don’t differentiate between upper or lowercase letter. This pitfall isn’t on the users, but useful to keep in mind. It’s safer to make passwords longer than shorter, because trying all possible 3 character strings is much faster than 20 characters.
2. The longer the password, the better.
A Leaked Secret is No Secret!
In the rainbow table attack description, I made a critical assumption: the attacker somehow got the list of user hashes. Even with strong hashing algorithms, security measures, and extensive testing, data breaches happen. Systems are built by humans, mistakes get through, and there are malicious actors out there working just as hard to exploit these vulnerabilities as good people are trying to prevent them. Breaches on news are just large ones that are detected—there may be silent attacks we do even know of. That’s implying the company tried, but made a mistake. How can you trust that the company is even trying to employ all the good security practices at all? As a user, you have no idea whether a certain service hashes your password or not.
The best solution is prevention, because once information leaked, the damage is permanent. And the best form of prevention is to reduce the domino effect harm by using a different password for every service. It would be ridiculous to use the same key for your house, car, vault, and others locks in your life. Although cracking passwords today isn’t easy, if your one and only password is cracked, it means granting the attacker access to all of Internet presence.
3. Never reuse passwords!
The Verdict: Password Managers and 2FA
So, passwords should be long, completely random strings, and different for every site. What a pain. Well… maybe not. The astounding recommendation within the community is to use password managers. They generate and keep random passwords, and the only one you have to remember is the master key, which you should never tell anyone (not even your mom!). Some products have bookmarks to open the site and log you in automatically, or change all of your passwords if a big breach happens. Most password managers’ monthly fee is less than a single cup of coffee.
You can go further by using two factor authentication (2FA) for sites that support it. Download certified apps, and register your phone. The app cycles through a code every 20 seconds or so, and simply enter the code as secondary authentication during the login attempt. This may seem like a nuisance, but most of the time, you’ll already be logged into your commonly used services.
Golgowski, Nina. “The Most Common Passwords In 2016 Are Truly Terrible”.
Infosec Institute. “Password Security: Complexity vs. Length”.
Monica, Diogo. “Password Security: Why the horse battery staple is not correct”.
Perry, Christopher. “Quick Tip: The Dangers of Password Reuse”.