Passwords are the most common and fundamental means of authentication in most services on the internet. You provide your password, let’s say, to a web application in order to verify who you claim to be. But let’s get real, how many passwords are you going to commit to memory, given the shed-load of web/mobile services you use?
A quick shout out! I also created a short “video version” of the article. It may not have every detail written in this post, but good enough for a quick gist of the stuff you’ll read here. Enjoy!
“Oh, I reuse my password, but before you judge me, let me tell you I use a complex one. Yeah, I am tech savvy you know!”, so you say. You see, you need to take into consideration, two things — data breaches happening left & right and increased computing power making password cracking for hackers more efficient, as efficient as making several million, perhaps even billion guesses per second. So yeah, you need to understand the gravity of the problem and have a plan for password care. Learning safe password practices is a great place to start building some internet hygiene.
HOW PASSWORD ATTACKS WORK
“Why do I even need to know this?”, you may ask. You see, comprehending how a “password attack” works would give you sufficient awareness as to why your password needs to be strong. For the sake of brevity, I’ll keep it simple. This topic would otherwise deserve an article on its own.
When you register with your username/email and password in an application, it does not store your credentials in plain text. What rather happens behind the scenes is that your credentials are converted to a cryptographic hash value. The hash depends on the algorithm being used by the application’s back-end. Your hashed password, for example, would look something like this garbage 👇
Now, following a data breach, hackers would have a huge list of these hashed password values. What would now follow is a brute-force search of every possible combination of passwords, hashing it using the same algorithm and comparing these values with the hash values that were breached. Or hackers may also resort to comparing already available hashed values of passwords from Rainbow Tables.
OKAY, SO PASSWORD CRACKERS ARE SUPER FAST, I GET IT! WHAT NOW?
Well, you create a password strong/secure/complex enough to make it hard to mathematically guess. That my friend, is measured in terms of, what is called “password entropy”. So, while there is some math to calculate entropy, I’ll keep it simple (I am crap at math).
Let’s first know the basic pool of characters a password can be made from. You could include alphabets (lower & uppercase), numbers and symbols in your password.
--> 26 possible characters- Alphabets(uppercase)
--> 26 possible characters- Numerals
--> 10 possible characters- Alphanumeric(either lower or uppercase)
--> 36 possible characters- Alphanumeric(both lower & uppercase)
--> 62 possible characters- Symbols including space
--> 33 possible characters- Total printable characters on keyboard (called ASCII)
--> 95 possible characters
So, the strength of your password depends on the number of possible permutations of a set of characters (C) and the length (number of characters) of your password (L).
Let’s say you use only lower case alphabets and 8 characters in your password. So the value of C = 26 and L = 8. The number of possible permutations/combinations needed to guess your password would be 26 to the power 8 ( C^L = 26⁸). While you can calculate how many 26⁸ is, that is 38 bits of entropy. It would take merely 5.8 hours to crack this password with a computer guessing at 10,000,000 hash/sec. However, a password with 95 possible set of characters with a length of 16 would have 95¹⁶ possible set of combinations, an entropy of 105 and would take greater than the universe’s life span to crack at 10,000,000 hash/sec!
So, understand that secure passwords have an INCREASED
- length (number of characters — this is key) and
- number of possible characters (alphabets, numbers and symbols)
PASSPHRASES TO THE RESCUE
Now, if you follow the above rules, you could create a robust password but one you may have difficulty remembering. Add to this, the number of applications/websites/services you have an account in. Torture, literally!
Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
Complexity here refers to the number of possible characters. Well, you see, even if you have a just alphabets in your password without any numerals or symbols, merely increasing its length would increase its entropy. And that’s why “passphrases” are a better alternative (only because they are easier to remember). Pass phrases are a collection of random dictionary words clubbed together, for example — “kingdombookcoatumbrellaashtrayapple”. Note that I clubbed 6 random words-> kingdom, book, coat, umbrella, ashtray and apple. This passphrase is not complex (no numbers,symbols or uppercase alphabets), but it is 35 characters and most importantly 6 words in length giving it a very high entropy. Because apart from the length, the attacker also has 6 dictionary words (among 171,476 dictionary words) to compete with.
That being said, your passphrase is as strong as it is random. Do not use related words, the same words, names of people & pets or addresses in your passphrases.
ON REUSING PASSWORDS
“Okay, so I have a complex, long, passphrase. I’ll memorize this and use it in every service I use. That would make my life easy”. Nope! You still have a problem. Never use the same password more than once. Period.
Have you ever, registered on a random web/mobile app, only to forget about it. You see, you still have an active account on that application you forgot about. What if that was compromised by a hacker. Your password breached. Let’s face it, we are humans after all, and however strong we think our passwords are, we tend to use words, phrases that are tied to us or are “non-random”. You just can’t risk using the same password.
Troy Hunt has created this fantastic resource called “have I been pwned? (HIBP”) where you could check if your online account has been breached. You simply key in an email or password you have used in any application and HIBP would tell you if your credentials have been breached.
As in HIBP,
Pwned Passwords are 555,278,657 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts.
NOTE ON PASSWORD MANAGERS
Let’s be honest. Creating strong passwords for every random app and remembering them is impossible. Nope, that’s not going to happen. Password managers are the way to go.
Password manager is an app that stores all your passwords for you, so you don’t have to worry about remembering them. The best part — you could also make it generate strong passwords (complex and lengthy) for every website/application you register to, and store them for you, encrypted locally in your machine or cloud. Its that simple. While many argue against using a password manager, since you are letting it store all your passwords (all eggs in one basket), this is what Troy Hunt has to say.
Whilst having all your account details exposed at once is undoubtedly a very bad thing, the risk is infinitesimal compared to the chances of having it breached via website.
LastPass, KeePass, 1Password, PasswordSafe and DashLane are examples of some good password managers security experts recommend. I could go on about password managers. There is a lot to talk about — how to use them, their pros and cons, the opinions of security experts on password managers and so on. I’ll keep this for another issue/article in my newsletter.
A FEW MORE WORDS OF PRECAUTION
- Writing down your passwords on paper/diary is generally perceived as an unsafe practice. Security experts Brian Krebs and Bruce Schneier, however don’t think its a big deal, as long as you keep your paper/diary safe. Nevertheless, using password managers are always advocated by all security experts.
- Don’t save all your passwords in a word or text document. They are going to be in plain text. Encrypt them, or again, just use password managers will you?
- Use a 2 Factor authentication, if the service offers it.
P.S — I also write/host “FourZeroThree” an email newsletter on Internet security — https://fourzerothree.substack.com/