Password security has been in the news again this week, as hackers have harvested millions of passwords from computers infected with malware.
Anybody using the internet for anything at all needs to be aware of a few basic things about passwords. If you understand why you're supposed to do something, you're more likely to do it.
If you don't already know what I'm about to say, take some time to read this; a few minutes invested now will save you a whole bunch of pain in the future.
By the way, I don't claim to be an expert, and experts will no doubt pick endless holes in this advice. I'm working on the basis that the basics, explained succinctly, are more valuable than the whole story explained inaccessibly.
When you choose a password for a website, the website uses a system called hashing to protect your password. Using a mathematical formula, the website turns your password into a new sequence of letters and numbers, called a hash, in such a way that you can't easily get back to the password from the hash.
This is important, because if the website stored your password as plain text instead of a hash, anybody gaining access to the files on the website would be able to see your password straight away.
A few websites don't do this basic level of security. In particular, any website which sends you an email containing your actual password is almost certainly not hashing it. You should avoid these websites like the plague, because they are run by idiots. (Not only are they highly vulnerable to hacking, but anybody who can read your email - which is not technically difficult at all - can see your password.)
The most common way hackers get hold of user information is by hacking a website - accessing it without authorisation. There are various ways to do this. You can't stop any of them, so don't worry about trying, unless you're a website administrator, in which case your job should depend on it.
You might think that even if hackers can access the hashed files containing your password, they can't see the password. This is correct. However, if they gain access to the file containing the hashes, hackers can use password-guessing software to work out (crack) your password. This software can generate millions of potential passwords in a fraction of a second, and hash them. It then compares the hashes it creates with the ones in the hash file from the website. If the hashes match, the hacker has just guessed your password.
You may have read about hackers using "social engineering" to guess people's passwords - trying different combinations of important names, dates etc, or ringing up pretending to be your bank and just asking for it - but in reality, unless you're a high-profile international target for organised crime (in which case pay a consultant, instead of reading this article), or you're the victim of a random phishing scam, this is never realistically going to happen to you. Unless you willingly give out your password to somebody over the phone or in an email, password-guessing software is by far the easiest way for somebody to crack your password.
To defeat this method, you need a password which the password-guessing software can't guess. So how does it guess passwords?
The software will start by going through a list of the most common known passwords. These include all the passwords people who don't know how to make up a good password will use: 123456, password, iamcool, qwerty, 111111 and hundreds more. (Security consultant Graham Cluley analysed a recent password hack and lists the top 50 passwords it revealed.)
If you use any of these, your password can be guessed in a tiny fraction of a second. You should not have any illusion of any security whatsoever. Assume anybody can access any information protected by such passwords. Change them, now. (Actually, finish reading this article first, otherwise you'll probably just change them to something equally pointless.)
The password-guessing software will next go through millions of words contained in a normal dictionary, presumably starting at "aardvark" and going on through to "zygote". You're probably already smugly thinking - but ha, I don't use the word "zygote", I cunningly replaced the letters with numbers to get "zyg0t3". Unfortunately, the password-guessing software already knows this and will try all the common substitutions too.
Dictionary words with numbers substituted are not secure. The dictionaries this software uses include many words in many languages, including names, places, bands, etc. So "d4ftpunk" will fall in less than a second.
You can try to generate a password that isn't likely to be in a dictionary. But assume that pretty much any meaningful word or short combination of them ("momof3g8kids", "Oscar+emmy2") will fall prey to this type of attack. Fear not, there are other options.
Once the password-guessing software has tried the easier methods above, it will resort to brute force. Starting with a, b, c, it will then go through every combination of letters and numbers to try out all possible combinations. In the light of this approach, picking a good password might sound a bit futile; surely everything will be guessed, in the end. However, it takes time to try all these combinations. All you have to do is make sure the time taken to guess your password is impractically long.
Assuming 36 characters (A-Z and 0-9), there are 36 possible one-letter passwords, and 36x36=1,296 2-letter passwords, through to 36^6=2.1 billion combinations for a 6-letter password. A fast computer can still hash 2.1 billion passwords in a few minutes (about 4 minutes, in fact). But each time you add another character to the length of the password, it takes 36 times longer to guess.
Use a 16-character dictionary-resistant password and there are 8,000,000,000,000,000,000,000,000 different possible combinations of the basic 36 characters. Even for a powerful computer, it's not trivial to go through all these options. Using basic punctuation as well as letters and numbers adds combinations, so adds security.
So, it's possible to outwit the password-guessing software simply by choosing a long password. But how are you going to remember a long password? You could try only using a single password for everything, but...
A good proportion of users (ie nearly everybody) uses the same password for different websites. Why is this a problem? Well, any hacker obtaining your Facebook password can potentially then access your Amazon account, Yahoo Mail, PayPal, eBay, KinkyGoats.com and so on. This is particularly a problem with email accounts, where the hacker can then use the email account to reset passwords on other services too.
The most effective way to generate a long, secure password is to use a piece of software to do it for you, randomly. (Humans are basically hopeless at generating anything randomly.) However, in most cases, this means you won't be able to remember the password. I've just used 1Password to generate me a nice secure 20-character password, and it came up with pCnVtG4}8[tA,?aXGLEv. This is nice and secure, but even trying to remember it is a complete non-starter.
1Password, like other software, also allows me to sync my password file between several devices (laptop, iPhone, iPad) using third party services such as Dropbox. If I use this, my password file will be stored on Dropbox's servers, where it will also be accessible to anybody who has legitimate or unauthorised access to these servers (ie Dropbox's staff, the NSA, GCHQ, Russian crime syndicates, etc). By using such sync services, I have to accept that I'm making my password file itself much more vulnerable to brute-force attack.
One of many benefits of password management software is that you seldom, if ever, need to type in passwords. 1Password will automatically fill in passwords for me, when I authorise it to do so.
If you're reading this, it's probable that you're not a password expert and hence find the prospect of installing and running password management software a little unpleasant. Don't fear; there are still ways to make sure your passwords are secure.
To distil this down a little:
Anybody using the internet for anything at all needs to be aware of a few basic things about passwords. If you understand why you're supposed to do something, you're more likely to do it.
If you don't already know what I'm about to say, take some time to read this; a few minutes invested now will save you a whole bunch of pain in the future.
By the way, I don't claim to be an expert, and experts will no doubt pick endless holes in this advice. I'm working on the basis that the basics, explained succinctly, are more valuable than the whole story explained inaccessibly.
Hashing
When you choose a password for a website, the website uses a system called hashing to protect your password. Using a mathematical formula, the website turns your password into a new sequence of letters and numbers, called a hash, in such a way that you can't easily get back to the password from the hash.
This is important, because if the website stored your password as plain text instead of a hash, anybody gaining access to the files on the website would be able to see your password straight away.
A few websites don't do this basic level of security. In particular, any website which sends you an email containing your actual password is almost certainly not hashing it. You should avoid these websites like the plague, because they are run by idiots. (Not only are they highly vulnerable to hacking, but anybody who can read your email - which is not technically difficult at all - can see your password.)
Hacking and Cracking
The most common way hackers get hold of user information is by hacking a website - accessing it without authorisation. There are various ways to do this. You can't stop any of them, so don't worry about trying, unless you're a website administrator, in which case your job should depend on it.
You might think that even if hackers can access the hashed files containing your password, they can't see the password. This is correct. However, if they gain access to the file containing the hashes, hackers can use password-guessing software to work out (crack) your password. This software can generate millions of potential passwords in a fraction of a second, and hash them. It then compares the hashes it creates with the ones in the hash file from the website. If the hashes match, the hacker has just guessed your password.
You may have read about hackers using "social engineering" to guess people's passwords - trying different combinations of important names, dates etc, or ringing up pretending to be your bank and just asking for it - but in reality, unless you're a high-profile international target for organised crime (in which case pay a consultant, instead of reading this article), or you're the victim of a random phishing scam, this is never realistically going to happen to you. Unless you willingly give out your password to somebody over the phone or in an email, password-guessing software is by far the easiest way for somebody to crack your password.
To defeat this method, you need a password which the password-guessing software can't guess. So how does it guess passwords?
Common Passwords
The software will start by going through a list of the most common known passwords. These include all the passwords people who don't know how to make up a good password will use: 123456, password, iamcool, qwerty, 111111 and hundreds more. (Security consultant Graham Cluley analysed a recent password hack and lists the top 50 passwords it revealed.)
If you use any of these, your password can be guessed in a tiny fraction of a second. You should not have any illusion of any security whatsoever. Assume anybody can access any information protected by such passwords. Change them, now. (Actually, finish reading this article first, otherwise you'll probably just change them to something equally pointless.)
Dictionary Passwords
The password-guessing software will next go through millions of words contained in a normal dictionary, presumably starting at "aardvark" and going on through to "zygote". You're probably already smugly thinking - but ha, I don't use the word "zygote", I cunningly replaced the letters with numbers to get "zyg0t3". Unfortunately, the password-guessing software already knows this and will try all the common substitutions too.
Dictionary words with numbers substituted are not secure. The dictionaries this software uses include many words in many languages, including names, places, bands, etc. So "d4ftpunk" will fall in less than a second.
You can try to generate a password that isn't likely to be in a dictionary. But assume that pretty much any meaningful word or short combination of them ("momof3g8kids", "Oscar+emmy2") will fall prey to this type of attack. Fear not, there are other options.
Brute Force
Once the password-guessing software has tried the easier methods above, it will resort to brute force. Starting with a, b, c, it will then go through every combination of letters and numbers to try out all possible combinations. In the light of this approach, picking a good password might sound a bit futile; surely everything will be guessed, in the end. However, it takes time to try all these combinations. All you have to do is make sure the time taken to guess your password is impractically long.
Assuming 36 characters (A-Z and 0-9), there are 36 possible one-letter passwords, and 36x36=1,296 2-letter passwords, through to 36^6=2.1 billion combinations for a 6-letter password. A fast computer can still hash 2.1 billion passwords in a few minutes (about 4 minutes, in fact). But each time you add another character to the length of the password, it takes 36 times longer to guess.
Use a 16-character dictionary-resistant password and there are 8,000,000,000,000,000,000,000,000 different possible combinations of the basic 36 characters. Even for a powerful computer, it's not trivial to go through all these options. Using basic punctuation as well as letters and numbers adds combinations, so adds security.
So, it's possible to outwit the password-guessing software simply by choosing a long password. But how are you going to remember a long password? You could try only using a single password for everything, but...
Reusing Passwords
A good proportion of users (ie nearly everybody) uses the same password for different websites. Why is this a problem? Well, any hacker obtaining your Facebook password can potentially then access your Amazon account, Yahoo Mail, PayPal, eBay, KinkyGoats.com and so on. This is particularly a problem with email accounts, where the hacker can then use the email account to reset passwords on other services too.
The bottom line here is: never reuse passwords. It's like carrying around 20 identical keys, on separate keyrings, each of which can access your car, your house, your wallet, your credit cards, etc. Lose a single keyring and you've compromised everything.
If you really have to, you could maybe consider reusing a single password for websites which don't give hackers any way to access financial information (eg your BBC Online password which allows you to comment on articles, but not Amazon, which would allow people to make financial transactions on your behalf.) But don't come crying to me when somebody starts impersonating you online.
Password Strategies
Password Management Software
The most effective way to generate a long, secure password is to use a piece of software to do it for you, randomly. (Humans are basically hopeless at generating anything randomly.) However, in most cases, this means you won't be able to remember the password. I've just used 1Password to generate me a nice secure 20-character password, and it came up with pCnVtG4}8[tA,?aXGLEv. This is nice and secure, but even trying to remember it is a complete non-starter.
Therefore if you choose this approach, you'll need to use a piece of software to remember your passwords for you. There are several out there. I use 1Password, which runs on my Mac, iPhone and iPad, and would also run on my PC if I had one. It cost me money, but I'd rather spend a few quid on some well-crafted software than deal with having my identity stolen online :)
Beware! Password management software generally uses a single master password to encrypt all your other passwords. Anybody guessing this password will have access to your entire digital empire. However, if you only store the password file on your laptop, they would need access to your laptop to even begin to start guessing your master password. If the master password itself is secure, you are still reasonably safe at this stage. (Ideally you will also be encrypting your hard drive, as I do - this is a whole nother topic however.)
1Password, like other software, also allows me to sync my password file between several devices (laptop, iPhone, iPad) using third party services such as Dropbox. If I use this, my password file will be stored on Dropbox's servers, where it will also be accessible to anybody who has legitimate or unauthorised access to these servers (ie Dropbox's staff, the NSA, GCHQ, Russian crime syndicates, etc). By using such sync services, I have to accept that I'm making my password file itself much more vulnerable to brute-force attack.
One of many benefits of password management software is that you seldom, if ever, need to type in passwords. 1Password will automatically fill in passwords for me, when I authorise it to do so.
Manual Password Generation
If you're reading this, it's probable that you're not a password expert and hence find the prospect of installing and running password management software a little unpleasant. Don't fear; there are still ways to make sure your passwords are secure.
On the basis that, in the password world, longer is better, the simplest approach is to use multiple words, one after another, to make a single long passphrase. The online comic XKCD popularised this approach; I suggest you don't use "correcthorsebatterystaple" as your password, as it's probably made it into the password-guessing dictionaries already.
If the password-guessing software has a million words in its dictionary, then putting 4 of them one after the other leads to 1,000,000^4, or 1,000,000,000,000,000,000,000,000, different possibilities.
Even better, put a random number in the middle of your passphrase ("correcthorse7556batterystaple"). Even if you use the same number in the middle of all your passwords, unless somebody is deliberately targeting your various passwords individually from a known password (in which case you have more problems than this article can solve) they're not going to be able to crack this using brute force, for some time at least.
How do you then remember all these passwords? Well, if you're going to make a note of them, do so on paper, not on a computer. Yes, if somebody steals the paper, all your passwords are compromised, but it is far more likely that somebody can access your computer remotely than your house will be burgled. I don't really recommend this, but do it if you have to. However, try to make things a little harder for any would-be thieves, for example by writing down your passwords with your random 4-digit number (above) left out of the middle of all of them. Few burglars are going to sit around trying all possible ways of adding information to a paper list of passwords, just to get access to your Amazon account.
Summary
To distil this down a little:
- Use long passwords. At least 16 characters. Ideally 20. Letters and numbers. Maybe some punctuation too.
- Never use the same passwords for different websites.
- Invest in password-management software, if you're confident you can use it properly.
- ...but make sure your password file is not vulnerable.
No comments:
Post a Comment