Passwords are something we use every day, yet the way most people use them makes them very insecure. With more of our personal data going online every day it’s about time we started taking passwords more seriously.
So here’s a quick rundown of some of the main issues with passwords.
1) They can be stored in plain text
When you enter your password into a website, that website confirms you’ve entered the correct password by comparing it with a stored copy. At worst, the stored copy might actually be a complete copy of your original password, in plain text. If the website gets hacked your password is now in the hands of the hackers. And the next place they will go to is your GMail… your bank… etc. This is a massive security blunder, but one that a large UK supermarket did up until around mid 2012 and many other sites still do.
Passwords should be ‘hashed’ by a mathematical process that means the the original password cannot be obtained from the resulting hash. An example of this would be to divide a number by 2 and then round the result down. e.g. 11 divided by 2 is 5.5, rounded down is 5. Even if you know the result or hash (in this example 5), and the process used to obtain the result (divide by 2, round down) you still cannot guess the original number – it could be either 10 or 11.
Password hashing is much more complicated than this, but importantly, only the resulting hash is stored on the website and the original password can never be stolen and used to gain access to another website.
2) Even if they are hashed, they’re still easy to guess
Even if the website you are using does hash passwords, they’re still surprisingly easy to brute force if the hacker gets a copy of the website database. With modest computer hardware, rainbow tables can make cracking even moderately complicated passwords or 8 characters including symbols rather easy. Rainbow tables can be defeated by salting passwords, but the recent rise in power of off the shelf computer graphics cards has meant even this doesn’t guarantee password security.
When LinkedIn was hacked and there database stolen, the security firm Sophos confirmed that 60% of the 6million passwords were cracked by brute force. If you had used the same password on LinkedIn as for your email address, they would have had access to your email.
These are either software programs installed on your computer or worse still small pieces of hardware connected between your keyboard and computer that record everything you type in. They transmit this information back to the crackers who easily find the passwords by looking for an email address followed by some random letters.
Wireless keyboards are even more vulnerable, with the hacker not even needing to gain physical access to the PC.
4) No amount of hashing protects against bad employees
Even if the site you use hashes and salts passwords and insists on you using a password that is so long it could never be brute force guessed by any computer now or in the future and your home machine is patched, has virus checkers and you operate with a wired keyboard etc, you still cannot protect against the bad employee.
In this situation, an employee working on the website you are visiting adds malicious code which records all the login and password details sent to the site. The employee then tries logging into other sites using the same details. Simple and very effective.
In the next article I’ll go over some of the possible ways to use different passwords on each site.