How Passwords Work
Our lives are becoming increasingly dependent of digital media and services. Passwords have become more and more important to us all.
In order to gain access to our accounts and services, we need passwords to authenticate ourselves.
It may be worthwhile reviewing how passwords actually work.
The process of authenticating yourself using a password is constantly being refined, to keep it secure against hacking developments. But in general, password authentication tends to follow some variation of the sequence of steps discussed below:
When you enter your password, it is converted into a secure hash on the fly, as you submit it.
A cryptographic hash is designed to convert a specific set of content (in this case your password) into a single long string of text, which is unique to that content, so that even a slight difference in that content will result in a completely different hash. A hash function is also designed to be practically impossible to reverse. So that means if one has the hash, one cannot reverse the hash function process to derive the original content (your password). The objective of converting the password into a secure hash, is that from that point onwards, the computer systems work with the hash of your password, not the password itself.
When you originally created your password for that account or service, the same hashing function was used, and that resulting hash was stored as part of your credentials. Hopefully this hash is stored in an encrypted state, so that hackers cannot easily gain access to it, if they manage to penetrate the system (this is not always the case).
If done properly (and unfortunately, again, that is not always the case), your password is never stored, and thus retrievable by hackers or others, and is thus never visible to anyone else during the authentication process. This concept is sometimes referred to as “zero knowledge”, which means the company staff, nor anyone else, has zero knowledge about your password. Thus you are the only person who should have any knowledge about your password.
When you later login and submit your password, as part of the login process, the hash created on the fly from your password, is then compared to the hash previously stored, when you originally created your password. If the two are identical, you are given access, otherwise not.
An extra step is usually included in this process, to solve a specific problem, which is if two people coincidentally choose the same password, then they will have the same stored hash. That situation represents a security risk, because if a hacker can crack one of those passwords, they can then also gain access to the other account/s as well. So all they need to do is search for all other accounts that have that same hash, and the same password will work for all those accounts. That vulnerability is solved by including what is called a “salt”. A cryptographic salt is basically a long random number or character set, which is stored with your credentials. Every user gets their own unique, randomly generated, salt, when they create their password originally. The salt is appended to your password before the combination is hashed. In that way, even if you pick the same password as someone else, your hash will be different to theirs.
How Passwords are Hacked
There are many different ways that hackers can crack your password.
This article is not intended to be an exhaustive analysis of those methods. But if one understands the sorts of methods that hackers use to break passwords, then that will perhaps help in understanding the need to take appropriate steps to keep one’s accounts safe, from at least basic hacking methods.
A very basic form of hacking is called “Brute Force”, in which a high speed computer is used to try all the possible combinations of characters making up your password, until it finds a match. This sort of task is ideal for a computer to perform.
Computers can easily generate, and try, hundreds of thousands of passwords per second. In fact some specialised computers can test millions of potential passwords per second.
To understand this approach, lets start with a very simple example. Consider a password consisting of only one lower case alphabetic character. To find your password, the computer would just need to try each of the 26 letters in the alphabet, one after the other. If the hacking computer is allowed direct access to your login page, where it can send thousands of password attempts per second, then your one letter password will be hacked in milliseconds!
Now if that one character password could include a numeral, as well as upper case, or lower case letters, then the hacking computer would have to try 26 upper case, plus 26 lower case letters, plus 10 numerals – a total of 62 possibilities. So by adding different character sets, the total number of guesses that might need to be tried, can be increased somewhat.
But if one adds another character to the password, so that the password is now two characters long, that increases the number of potential passwords that need to be tried exponentially (the formula is 62 to the power of 2) – which is 3844 possible options.
Adding a third character to the password, increases the number of possible character combinations to 238 328 (62 to the power of 3). But even then, if a hacking computer can try 100 000 password guesses per second, then it would definitely find that password in less than three seconds.
However, if you used a 14 character alpha-numeric password (62 to the power 14), then it would take that same computer 3.9 trillion years to try every possible combination of characters.
And that, quite simply, defines why passwords are a viable form of on-line authentication. If you choose a strong password, and keep it secret, it becomes very difficult for hackers to gain access to your online accounts.
But hackers are smart. They find ways to short-cut the process and reduce the time needed to guess your password drastically, in comparison to the basic brute force process.
For example, the first thing they probably do is just start with passwords that many people are known to use, such as “12345” or “qwerty” or “password” etc. Most hackers have lists of these commonly used passwords. It’s easy to get a computer to run through them all as an initial guess.
Or, hackers will use what ever information they can find out about you, to focus their guesses in more likely areas. They will try using things like your birthday, or those of your family, the names of your family members, your street address, and any other data they can find about you – all of that represents better guesses of what your password might be, with higher probabilities of success, than just randomly chosen characters. They can gain access to your personal data, for example, if that was previously harvested and sold by unscrupulous companies, who do not care about your privacy (which is probably the case for most of us).
Another thing they might try, is if you are English speaking, they might start off by feeding in the complete list of English words from a dictionary, as well as combinations thereof.
If they can access your social media posts, they can use all the names, dates, books, and anything else that you may have mentioned in any of your social media posts. In fact, if they can identify you from your user name, it’s relatively easy to automatically get the hacking computer to look up all your social media posts and use every word you have posted on-line in the public domain.
You can see the pattern forming here.
The more information hackers can find out about you, the more you make their task easier, because if you have chosen a password that you can remember, it’s highly likely that you will choose something that has personal significance for you, such as your birthday, your child’s names, your pet’s name, or something like that. So the more hackers can find out about you, the higher the probability that some of that data may be relevant to your choice of password. This fast-tracks the hacking of your password, because they can start off by trying combinations of characters representing your personal data, and not just have to try every random combination of all characters possible. This reduces the possible combinations that need to be tried, by orders of magnitude, and could short cut the potential time necessary to find the password from thousands of years, to a few hours or days.
Of course measures are normally taken to prevent direct brute force attacks by most computer systems, such as introducing a deliberate time delay in the login process (usually about 2 seconds), which then makes it impractical to send thousands of login attempts in a short space of time.
Another method to protect against brute force attacks is to limit the number of sequential failed attempts, before the user’s account is locked down.
To get around those defences, another method hackers use to crack your password is by hacking into the system back-end and gaining access to the stored hash of your password. When you hear about security breaches suffered by various companies, where they announce user passwords were compromised, this is what they normally mean – that the hashes of user passwords were stolen.
Once they have that data, hackers then can run random passwords through the same hashing function, and compare those hashes generated, to the list of user hashes they have stolen. If they find any matches, then they have found the password of those particular users. They can run this process at high speed, on their own specialised equipment, and thus harvest large numbers of user passwords in this way. They might then sell that information on the hacking black markets.
With this method, the hacked system never sees any failed login attempts from you, as they would do in a conventional brute force attack. You may in fact never know that you have been hacked, if the hackers are discrete about their activities.
But again, longer, more complex passwords, will take longer to find, using this method, because the hacking computer still has to generate that specific sequence of characters, which matches your password, before running that through the hash function, to gain a match. So a strong randomly generated password still provides sufficient protection (at least giving you enough time to change your password in the event of a breach), even if hackers managed to steal the hash of your password.
Which is why it is important to only use strong passwords for important accounts.
Password strength is calculated by essentially estimating the time taken to try all the possible character combinations represented in your password.
The greater the length of your password, and the more different character sets represented, the longer a hacking computer will have to work, to try out all the possible character combinations. This time goes up exponentially, as you add additional characters to your password.
So longer passwords are always stronger.
Another factor that will determine password strength is whether the characters chosen have any sort of significance to you, or whether they are truly random. The less the sequence of characters chosen for your password has to do with you, or is otherwise predictable, the harder it is for hackers to find that sequence of characters, because they cannot use your personal data, or any other available data, or pattern set, as a short cut.
So to summarise, the following three things define the strength of your password:
- The length of the password
- The number of different character sets used in the password (numerals, letters of the alphabet, punctuation characters, upper case and lower case etc).
- Whether the character sequence is randomly chosen, or whether that has any significance to you, or whether it represents any sort of predetermined pattern which can be guessed (such as representing your birthday, or a family member’s name, or some other pattern).
The bottom line, is that if your password is something easy to remember, then it is is probably weak, and more easily hackable.
Strong passwords are quite long (in this day and age, 14 characters or longer), combine different character sets, and are completely randomly generated, with no discernible patterns or significance.
Biometrics vs Passwords
Some people think that biometric attributes, such as your fingerprints are a good form of digital authentication.
I tend to disagree.
Lets take your fingerprints for example. Everywhere you go, you leave your fingerprints behind. A good example is using your fingerprint to unlock your phone. Every time you unlock your phone you leave an imprint of your finger behind on the button. It’s quite easy to lift that finger print and use it, if for example your phone gets stolen.
There are publicly available demonstrations where even a photo of a user’s fingerprint is used to fool a fingerprint reading sensor. Of course these devices are constantly being upgraded, but the core problem remains, the digital information they read—your fingerprints—is readily available to hackers.
In addition, just think of how many officials and organisations already have your finger prints on file.
Also, an attacker can always just physically force your finger onto the fingerprint reader, or even worse, remove your finger for that purpose.
Another thing to think of is, in the event that you suspect that your fingerprints have been “stolen” and are being used to gain access to some system—well you can’t exactly grow another set of fingerprints! So once that information is compromised, it’s permanently compromised.
Now compare those situations to a secure password, which you never write down, and which nobody else knows about.
Personally I think the password is the more secure option.
But wait a minute—my bank uses my fingerprints to identify me, so does that mean that fingerprints are actually more secure than a password ?
I would still contend that using your fingerprints as part of the bank’s authentication process, is more about protecting the bank, because they can “prove” you were present. But it does not necessarily protect you to the same extent. That is because of all the ways I mentioned above, where the biometric scanner can be fooled.
The same problems apply to using facial recognition as an authentication method. Just think about how many photographs of yourself are online, or freely available in the public domain? What control do you have over your face been photographed in public?
Why You Should Not Store Passwords in an Internet Browser
This point was covered in precious post. To briefly recap – the problem is the tension between convenience and security.
Browser companies will always err on the side of convenience, because they are well aware that people who find their browser inconvenient to use, are quite likely to switch to another company’s browser, which is more convenient to use.
But convenient systems are seldom secure. Proper security tends to impinge on convenience, at some point or other, in the process.
So all browser password storage functions tend to be compromised, for that reason. Most browser companies will assure you that they take your security seriously. But believe me, they will not do anything that negatively affects the convenience of the user experience.
In addition, because so many people store all their passwords in their browser, those stored passwords are prime targets for hackers, especially since the passwords are neatly stored with the URL of each login page, making it super convenient for hackers to exploit. Not to mention the fact that when you use your browser, you will probably be on-line, so that means hackers have the chance of accessing your passwords remotely, from afar.
There are only a few popular internet browsers, so hackers can focus their efforts on identifying the security compromises inherit in those few browsers, and devising methods to penetrate them.
For all of these reasons, it really is not a good idea to store your passwords in your browser.
You Should Use a Different Password for Each Account
For the same reasons that it would not be wise to only have a single key that unlocks every door or lock that you use, you should not use one single password.
If every lock you use can be opened by the same key, that means that if someone else got hold of that key, then they can open all your doors or locks.
But there is one big exacerbating factor which makes your passwords more important than your house keys. In the digital world, everyone has access to your digital accounts, whereas malicious people would have to physically travel to get to your door. So there is a limit to how much risk you are exposed to when you lose your house key, but if your password is compromised, the whole world can potentially access your digital accounts.
If you use a different password for each account, well that reduces your risk substantially. If one password gets compromised, then only one account is vulnerable.
Why You Should Use a Secure Password Manager
From the above discussion, it can be seen that it is in your interest to use strong passwords that have the following characteristics:
- More than about 14 characters
- Randomly generated, with no patterns and being completely unrelated to yourself
- A different password for every account
- Kept secret – ideally you are the only person who has access to that password
But the problem with this is, passwords that have the above characteristics, are impossible to remember.
And that is the main reason why you should use a password manager – it solves the problem for you, while empowering you to use proper strong passwords.
The nice thing about a password manager is it is one of the few instances where improved security is actually more convenient, than trying to remember a whole series of long, randomly generated passwords.
A password manager is software, or an on-line service, which securely stores your passwords, in a way that allows those passwords to be conveniently available to you, when you need them.
Most password managers also include a random password generator, so you do not have to rack your brains to come up with some complicated password, every time you are asked to enter a new password. You just press a button to get a new strong, randomly generated password.
So think of a password manager as a “digital key ring”, which you carry around with you in your laptop and/or phone, which can generate new keys for you, as you need them.
From then on, all you need to remember is one strong master password, which opens the password manager. But you don’t need to remember (or even know) all your other passwords.
You need to keep that master password secret, and not use it for anything else, because that master password is the main vulnerability of your password manager. So keep it secret, keep it safe.
Life becomes much easier after that!
So we heartily recommend doing some research and choosing one of the available password managers. (We recommend KeepassXC, only because it’s free, it runs on multiple platforms and is not an on-line service—but that’s just our choice).
So choose one of the many password managers available, and try it out, maybe it will change your digital life?