There are many people who say that they don’t trust some version of online business, whether it be passwords, password wallets, or some other version of encryption security. They claim that by keeping their passwords on paper, that this is a higher level of security than storing it on their computer. They are right, and they are wrong. The answer to this lies in the way that encryption works. I am greatly simplifying this, so it will be a bit easier to understand.
All digital encryption works using the same basic principles. Digital encryption is simply a very complex math problem where there is a formula that permits only one answer to a problem posed by the number that is put into it, the password. The output that results from the password being run through the algorithm is called the hash. There can only be one hash for each password. Password hashing is typical on the server side when the server operators don’t need to know the plaintext password, they just need to demonstrate that the user knows the plaintext.
A common hash function is Message-digest algorithm 5 (MD5), which takes a message of any length as input and converts it to an output of a fixed 128-bit hash value length to be used for authenticating the original message. Here are a few examples of what a hash looks like:
md5(helloworld) = fc5e038d38a57032085441e7fe7010b0
md5(hell0world) = 0a123b92f789055b946659e816834465
md5(g84js;l238fl-242ldfsosd98234) = 42e7862f4ad5225471866d2023fc4cca#
md5(helloworld) = fc5e038d38a57032085441e7fe7010b0
When you enter your password into a website, it is converted into a hash. If the hash matches the one that is on file, the website grants you access.
Small changes matter a lot – Take a look at examples 1 and 2. Just one digit has been shifted, from an “o” to a “0.” This is a very small change, and yet the second output is unrecognizable from the first.
The output length never changes – The input in example 3 is considerably longer than the other examples, yet it produces an output of the same length (32 characters). You could input an entire book into the md5() hash function and you would still get a 32-character string as the output.
Repeatable – An input will always give the same output when hashed using the same function. If this weren’t the case, they would just be generating a random output, which would be useless for passwords. (I included the same function in example 1 as example 4 just to see if you were paying attention.)
Knowing that hashes are the same length regardless of the password you choose, you might be tempted to pick a short, memorable password. In fact, you should do the opposite. The password you choose is critical for keeping your data secure. Why is that?
MD5 isn’t the only hashing algorithm. There are others, like the SHA-2 hash code family, one widely used today, with algorithms that are longer and harder to break. The names of SHA-2 algorithms are connected to length, so SHA-224 represents 224 bits in length. The same format works for SHA-256, SHA-384 and SHA-512. The more bits in the hash, the more complex and difficult it is to break, and the longer an input password that can be used.
If a website is hacked, cybercriminals don’t get access to your password. Instead, they just get access to the encrypted hash created by your password. It’s impossible to reverse a hash function, so trying millions of combinations to try and produce the same hash (a brute-force attack) is the way that hackers have been attacking passwords.
So that’s what they do. They breach a website because they want the hashes. Banks, Home Depot, Amazon, all of the breaches that you hear of where passwords are compromised, that’s what they are after. That’s what happened to LastPass, as well. They got the password wallets, which included the hashes for the master passwords.
Once a cybercriminal obtains password hashes from a website, the real process of password hacking begins. This process happens offline, on the cybercriminal’s computer. Cybercriminals put combinations of characters into a hashing function until a hash that matches yours is created.
Because the functions themselves are well known, password cybercriminals can easily calculate hashes for known words and other commonly chosen combinations. Then they scan for known hashes using commercially available cracking tools. These dictionaries go far beyond simple words. They include prefixes, suffixes, the practice of changing letters for numbers (e.g. 1 instead of l), and much more. This means weak passwords can be broken very quickly. Humans suck at random. That’s why human created passwords are garbage.
A long password is better, because it takes more to guess a long password than a short one. A random one is better, because this foils dictionary attacks. Not reusing passwords is a way to keep a hash found on one website from being matched with others.
- 69% of people admit to sharing some passwords with others
- 71% of people admit to using common passwords like p@ssw0rd, their pets’ names, or children’s birthdays
- 72% of people admit to reusing the same password on 4 or more accounts
- 56% of people claim that they would not use passwords at all if they could
- The average user has 25 online accounts but uses just 6.5 passwords to protect them
So why does all of this matter? If you write your passwords on a piece of paper and then burn the paper, no one will ever get the passwords, but the hackers don’t care. They want the hash so they can brute force your passwords. It doesn’t matter if YOU use electronic password storage, because any company that you do business with does, but in the form of hashes. Using a password notebook like this one keeps the password out of electronics, but that doesn’t secure the hash.
Remember that a password cracking tool uses different methods to attack a hash. It will guess common passwords, and paired with a handful of inexpensive GPUs, can make 88 billion guesses per second. In fact, one hacker has a 25 GPU server that guesses 350 billion passwords per second. Ten years ago, a white hat used a GPU driven machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn in less than six days. Computers and their cracking software are considerably faster today.
They are so fast, that number-only passwords are useless. Even if you choose a good combination of letters, numbers, and special characters, passwords of eleven characters or less will be brute forced before a company even notifies the public of the breach. A series of leaks over the past few years containing 100 million passwords have given hackers dictionaries of passwords from people in different walks of life. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.
That’s why I was so pissed at LastPass for not disclosing the breach for months. How long is your password, what does it consist of, and how would it fare if the black hats had the hash to play with for 3 or 4 months? What if the black hat uses more than one computer?
That’s why, for now, I recommend that you use a randomly generated password comprised of numerals, special characters, uppercase, and lowercase letters, and your password should be no fewer than 17 characters long. Do not use words, even with common misspellings. Dictionary attacks live on words like p@ssw0rD123.
Diceware has a flaw in that it is susceptible to dictionary attacks. There are only 7,776 words in the diceware word list. Using that list to generate 4 words results in 3.6 quadrillion possible word combinations. That’s a lot for a human to guess, but a trivial exercise for a computer making a few billion guesses per second. If no other randomness is inserted, a 4 word password generated by diceware would be cracked in less than 3 hours. There was a time when diceware was a good idea, but increases in computing technology have made it useless.
That same technology makes other schemes just as useless: fingerprints, facial recognition, and others. A strong, random password and a hardware key are currently the only secure methods for identifying valid, authorized users.
There are new hashing algorithms that complicate the process of cracking, like SHA512, Bcrypt, or PBKDF2. The complexity of the math involved limits the speed of those cracking computers to less than a 10,000 guesses per second, which greatly increases security. However, it costs money for a business to stay current with this kind of technology, and many companies just aren’t willing to spend the cash. That means it is up to YOU to keep your password long and complicated.
Don’t be complacent. There was a time when an 8 character password was nearly impervious to attack.