Today I’m going to talk about something that may seem a little off-topic; you need to have better passwords for your online accounts.
This is probably not news to you. Every time a big website gets hacked there is a flood of news stories about the dangers of weak passwords, but it always dies down quickly. You might feel guilty about using ‘123456’ as your password for a couple days, but you’ll eventually forget about it once the media stops reminding you.
Here’s the bottom line; if you are not using a different, strong password for every online account, you are putting yourself at unnecessary risk.
Luckily there’s a simple way to do that. All while actually making it easier for you to remember your passwords. Just use a password manager.
But before I get to talking about that, I’m going to try and explain why you actually need one. Where the risks actually come from.
What’s the deal with Passwords
The risks that I’m talking about are not what you first think of when you hear the phrase ‘steal your password’. I’m not talking about somebody who stands behind you at the coffee shop and watches you type it in. Nor the risk of somebody compromising your computer with a virus. Nor the risk of somebody in a coffee shop snooping on the wifi and grabbing your passwords from any unsecured traffic.
Password managers will actually help with those, but most people already understand how to prevent them. Don’t type an easy password in with a stranger over your shoulder, install some antivirus on your computer, and make sure the websites you log into use HTTPS. (Ok, maybe the last one isn’t that obvious.)
But what we’re concerned about today is the big breaches. It’s not about some individual trying to steal your login, it’s about some individual trying to steal millions of logins.
Let me explain.
When you create an account on a website, let’s say Example.com, they need to store your login information.
At Example.com they’re pretty naive. So they take your username and your password and store them together in a database. When you log in they compare your username and password against the database and if they match, they let you in. If you ever forget your password, they can just email it to you.
This works perfectly until somebody hacks in and steals the database, and they can read all the passwords.
In response, Example.com upgrades their security. Now instead of storing them in plain text they encrypt all of the passwords. Whenever you log in they just decrypt your password stored in the database and use that to check if you got it right. As a bonus, if you ever forget your password they are still able to just email it to you.
This works perfectly until somebody steals their database and their encryption key, which they had to store on the same computer, and decrypts all the passwords.
(No website today should ever do either of those. If any website is ever able to email you your password, run away and don’t look back. Then never use that password again.)
Now they get creative. There is a type of computer algorithm that is one-way ‘encryption’, called hashing algorithms. These algorithms take an input, such as a password, and produce an output ‘hash’ that is unique to that input. So every time they run your password through that algorithm it returns the same semi-random output.
What makes hashing algorithms interesting is that there’s no way to get from the output hash to the input password.
Now Example.com will save in their database your username (in plain text) and your hashed password. When you log in, they take your password, run it through their hashing algorithm, and compare the result against the saved hash. If you forget your password, they won’t be able to send it to you because even they don’t know what it is.
Example.com is now up to par with many websites out there today. Often when there is a ‘password breach’ it’s somebody stealing a database containing plain text usernames and the password hashes, just like I’ve described. The passwords leaked in the last couple months from LinkedIn were secured like this.
This is what we’re trying to secure against by using a password manager.
Why It’s Still Broken
The problem with this scheme is not immediately obvious.
If you had an account with Example.com and your password was ‘123456’, and they used the hashing algorithm MD5, your password hash would be: E10ADC3949BA59ABBE56E057F20F883E
In fact, everybody who used ‘123456’ would have the same password hash. All an attacker has to do is check to see whose password hash is E10ADC3949BA59ABBE56E057F20F883E and they’ll know that your password is ‘123456’.
Amusingly, if you store password hints alongside the password hashes into the database, a leaked password database becomes The Greatest Crossword Puzzle in the History of the World. Line up the password hashes and you get multiple hints to explain a single password.
To find the passwords, an attacker will take every password they can think of, generate the hash value, and check to see if the hash value is in the database. The more passwords they check the longer it takes them, so they use lists of the most common passwords, dictionary words, basic changes to dictionary words, and ultimately random guessing.
Every password they check takes time, as they have to compute the hash then check it against the database. A good hash algorithm is actually somewhat slow, so it takes longer to check each password, but not too slow that it takes a long time for you to log in.
What you need to do is make sure your password is not one of the passwords that they can check in a reasonable amount of time. Because their ability to ‘guess’ what the passwords may be is very very good, you should assume that anything you can remember easily is not secure. Thus, you need to use a complex password that you can’t easily remember.
If you reuse passwords for multiple websites, you are trusting all of them to keep that password secure for you. If any one of them doesn’t store their passwords correctly, and you reuse your username, then none of those accounts are secure. Once a hacker finds your password at one site, they will try the same username/password combination at other sites. So it’s good to have different passwords for everything.
If you’re still hoping that the websites you use probably have good security practices, remember that LinkedIn, a multi-billion dollar company, didn’t do this correctly.
So the best thing you can do to keep your accounts secure is to have a unique, difficult to remember password for every account. The only easy way to do that is with a password manager.
There is actually a better way for a website to store passwords, called password salting. Basically, they generate a random ‘salt’ they store in the database (in plain text) along with your username and password. When you log in, they take your password, add the salt to it, then they hash that whole thing to compare to your stored password hash. Since the ‘salt’ is unique to your account, any attacker would have to try to crack your password individually, instead of being able to crack all of the passwords at the same time.
So a Password Manager
Using a password manager helps you solve the two basic problems most people have with their passwords: uniqueness and complexity.
Since you don’t have to remember your passwords you can have a different password for every single account. That way if one of them is breached only one of your accounts will be compromised. If you have hundreds of different accounts like I do, there is no way you can keep track of them all without a password manager.
Since you don’t have to remember your passwords, they can all be very complex. “ap49nQXj*ro@” is a strong password, but would take most people quite a bit of effort to memorize. My password manager will generate it and save it for me in seconds.
With a password manager, you will only have to memorize one strong password, your ‘master password’, and all the rest will be stored for you.
There are a number of options to choose from, but for the most part all of them will have the same basic set of features.
- A very secure ‘vault’ for storing all your passwords.
- A ‘password generator’ to create new passwords. Humans are notoriously bad at generating random passwords.
- Simple ways to access your passwords, like a browser extension.
The only downside to those two options is that you have to trust those companies to some extent. If you are extra paranoid then the best option is KeePass, but it might be more effort than it’s worth.
Look into the options for yourself, pick the one you’re comfortable with, and then actually use it.
Also published on Medium.