Ask Alicia How Passwords Keep You Safe

Fun with passwords

by Derek Fisher

In terms of password security, the more complex and random you can make it the better. For instance, having a password like ‘aaaaaa’ has a few problems. One, there is no variation in the characters used. Two, it is short. Three, it is actually pretty guessable and can be easily “brute forced”. More on that in a bit.

To understand how passwords can be broken or compromised, it’s good to understand what happens when you put your password in to a text box on a site or in an application. We are all pretty familiar with a login page where you enter a username and a password for the site or application you are attempting to access. Your username may be something like your email address or a unique id. After putting in your username, you then put in your password and hit enter or click a login button. From there the application or site will perform a bit of math magic, called hashing, to scramble your password into something that is unrecognizable to the original password. For instance, using the ‘aaaaaa’ example this would become ‘F7A9E24777EC23212C54D7A350BC5BEA5477FDBB’ after being hashed. A really cool fact about hashing is that you can hash entire books into a string of characters that are the same length as the one I just showed! Another fact is that every time the same set of characters are hashed, the same hash value is output.

So, each time you login to a site or application, it will hash your entered password and then match it to the hash value it had stored previously. In other words, the site or application is not storing your password, it is storing a hash of your password and then matching the password hash each time you enter it. If it is a match, then you can login. If it’s not, then you will not be allowed to login.

Now that you are an expert in how passwords are created and how login works, you might be asking how this can be broken. The simple answer is that these hash values can not be reversed. So, if I have a list of hashed passwords, I cannot reverse them back to the original password. However, I can do the same thing that the site or application does by trying to find a match, otherwise called brute forcing. Let’s say your password is ‘bbbbbb’ and I have the hashed version of that, which happens to be this: ‘0E03C6205EA671D7D41A0E3AABFC9D15D97E5ED3’. I would first start with ‘aaaaaa’. Well, that doesn’t match the hash value I have for ‘bbbbbb’, so I try again with ‘aaaaab’. And then ‘aaaaac’ and so forth through the alphabet until I find a match. Obviously, I’m not typing this by hand. That’s what we developed computers for. They are great at doing math. Within a very short period of time, roughly 1 second, I can brute force through the alphabet until I get a match. Now I know what characters I chose that hash to the same value as your password.

The case above is a simple example, but what happens in the real world is that databases full of usernames and passwords get exposed frequently. Chances are that you may have received notices to change your password due to it possibly being exposed. Hackers can use these stolen databases to uncover the passwords for accounts. They have a lot of different tools available to make their jobs easier and quicker.

Where this gets tricky for you is if you reuse that username and password on other sites or applications. Several years ago, LinkedIn had their username and password database exposed. Users of the site were asked to change their password immediately. However, many users were using that same username and password on other sites like their banks, or shopping sites. Hackers were smart enough to know that users don’t like to have to remember a lot of different passwords so once they uncovered the username and password for an account, they would use them on other popular sites to try to use the combination there. It’s like finding a set of keys and trying a lot of different doors to see which ones open. Pretty sneaky.

What can we do? For starters, create unique passwords for each site or application you use. This means that if the password gets leaked, it can’t be used elsewhere. Next, make sure your passwords are long and strange. You want it random, hard to read and without any known words in it. Most recommendations say that the length is more important. So, if you need to remember the password make sure it’s a long phrase. Lastly, you want to change your password from time to time. Many breaches are not reported until weeks or months after they occurred. That means a hacker might know your password long before you are notified.

All of this makes password use difficult. The good news is that there are password manager applications that will store and fill your passwords for you. You only need to remember one password, and that is the one that lets you into the password manager. From there, the application will remember, fill, and even create random passwords for you. Which is good news since trying to remember a password like ‘sw5ag!j&420!weTF’ for your bank login would be a bit too hard!