Have you ever wondered what happens when you put your password into that box on a website? How secure do you need a password to be, and how can you be more secure using the internet?
The websites that you trust, like LinkedIn and Yahoo, are frequently the target for attacks by increasingly sophisticated cyber-criminals, and some have a history of being careless with their users’ personal data. But there are some simple steps that you can take to make your profiles more secure.
The Dangers of Reusing Passwords
At present, most companies do not store your password or username in the format that you type it into the login boxes, which is known as plaintext or cleartext. If this were the case, then any hack exposing this information would mean that the hackers would have immediate access to accounts. While some websites like Twitter have reported bugs where plaintext user information has been inadvertently available in internal systems, this is increasingly rare, and most websites will compare your password to a stored version using a cryptographic hash algorithm.
A cryptographic hash algorithm – or hash algorithm for short – is a function that takes plaintext, and in an algorithmic way mixes this to produce a string of letters and numbers of a specified length. These algorithms are designed in such a way that making a small change in the input (i.e. the password) almost surely results in a large change in the output (the hash value). As an example, one of the most widely used hash functions is SHA-256, which takes an input and produces a 256 -bit output. Taking two of the most commonly used passwords – password and Password – one can see how the output is significantly different, despite only changing one character of the input.
Plaintext → Hash
password → 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Password → e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
So, in order to determine whether a password is correct for a given username (a process known as password validation) the company needs only to check the result of the hash function of your input against the stored hash value for your password.
However, this does not mean that your information is secure, particularly if you are using one of the more common passwords. If the table containing the hashed password information is leaked, as in a 2012 hack of LinkedIn, hackers can compare these hashed values against the hash values for common passwords. A match would then likely enable the hacker to determine this password, even if at no point they had access to the plaintext password. Hence, there is a particular danger to users reusing passwords, since a data breach from any source could allow hackers access to other services using the same account details.
Although businesses can do more to protect this information (for example using a process known as salting before applying the hash function), it is still best to use a different, complex password for every service. In 2019, the UK National Cyber Security Centre (NCSC) collated the top 100,000 passwords commonly found in data breaches, including the password 123456 found 23 million times. There is also currently debate as to whether it is best practice to force users to change their passwords after a set amount of time. CESG, now a part of the NCSC, found that forcing users to change passwords frequently led to poor password security.
Users might reuse a password they already remember from another service, which is insecure for the reasons above, or may adapt an old password. For example, if in such a breach, a hacker sees that the hash of a user’s password matched the hash for 123456, but that this no longer works, a reasonable next guess for the changed password might be 1234567.
Hence, it is important for users and businesses to be aware of the need for strong, unique passwords.
Find our Top 21 Terrifying Cyber Security Stats here.
Strong Passwords and Password Managers
The best passwords to use are long, complex, and do not contain personal information. In particular, having a short, simple password leaves the account vulnerable to brute force attack. In a brute force attack, the attacker tries many different possible passwords, in the hope that one of these is right. Common brute force attacks would involve guessing then most common password combinations (for example the list compiled by CESG), but also a dictionary search. It is relatively simple to write a program that can cycle through words in the English dictionary, even trying possible letter-number substitutions: for example Password and Pa55w0rd. Two ways to combat this sort of attack are to increase length and increase entropy.
Many websites now force users to have passwords over some minimum length. This is because the longer a password is, the longer any brute force attack may take. For example, the number of ways to choose six, distinct lowercase letters is 230,230. If one increase the length of the chosen string to ten letters, the number of ways to choose ten distinct letters is 5,311,735. By simply increasing the length of the password, one increase the size of the possible brute-force attack. Once the size of the attack increases past a certain point – i.e. the list of password guesses gets too long – brute force attacks become infeasible.
Another way to increase the security of a password is to increase entropy or complexity. One can do this by expanding the type of character used. As an example, take a password that is six characters long, as above. If one now allows the use of uppercase letters and numbers, there are 61,474,519 ways to choose six distinct characters. Many websites now force users to use special characters like punctuation and a mixture of upper and lowercase letters. This is an attempt to force users to increase the complexity of their passwords. However, it is a frequent mistake that users still give guessable structure to their passwords by making common changes like the letter-number substitution above, or simply adding ! at the end to satisfy the minimum requirements.
The problem with making a long password with high complexity, is that they are often more difficult to remember. Moreover, as highlighted above it is important not to reuse passwords with many different services. An example of a strong password is El4Rfv5F7$WOXR?I, but even typing this in correctly might be a challenge! One answer is to use a password manager. These are tools that allow one to generate and store unique passwords for different accounts, with the need only to create and remember a master password in order to access these. It is of course important to create a secure master password, since this would provide access to all accounts stored in the password manager, but users may find it easier to create and remember a single, secure password, rather than one for each online service used.
Many free password managers exist, such as LastPass, KeePass and Dashlane. They increasingly also offer cross-platform support, allowing users to access their accounts using apps on mobile devices. A common feature of password managers is a browser extension, that allows users to generate long, complicated passwords, and auto-fill this information when required. Furthermore, the premium features can be particularly useful increasing the security of your data. For example, LastPass Premium includes 1GB of encrypted file storage, compatibility with enhanced multi-factor authentication, and enhanced multi-user options: ideal for small businesses and individual users to protect themselves from cyber-attacks in an increasingly dangerous world.