In The Beginning
Life used to be so easy. We drove to the bank, handed our deposits to the teller, chatted pleasantly as the teller conducted our business, then went on our way. We’d go to a shop, select our purchases, hand the cashier a check or some cash, receive our change and receipt, and leave. Younger readers may not remember those days, but they were not all that long ago. A password was just something you whispered to gain entry to a secret club.Today, passwords are critical to everyday life, and passwords have a lot of value to criminals.
What’s in a Name?
The most common method of authenticating to a website is still the user name/password combination. It’s a flawed methodology, but right now it’s still the easiest and most cost-effective to implement, and it doesn’t require users to learn a new technology. What makes it a flawed methodology is that users try to use passwords they can remember, which likely means that they are also easy to guess or crack, or they create one really great password that they want to use everywhere because it’s just SOOOOO AWESOME!
What could possibly go wrong using a strong password? If you use that same password in multiple places, multiple things can go wrong, and it all starts with bad guys doing what bad guys do. Let’s start by looking at how passwords work.
How Passwords Work
When you first create an identity at a site, most often the process will direct you to create a username and a password. There may be some suggestions as to how to create either or both, but the important stuff happens afterward. Some sites store those things just as you type them, in a database. In other words, if you select a user name of John Doe, with a password of monkey1234, in the database there is a column for name, and your entry will say John Doe, and another column for password, and your entry will say monkey1234. If an attacker breaks into that site and gets into the database, all of the user names are there in plain text, and so are the passwords.
Salty Hash
Some sites “hash” the user’s password input. The site takes the user’s password input and applies an algorithm to it, and that process maps the output to a string of text of a pre-determined length. Regardless of how long your password is, the algorithm’s output is going to be the same length for every password. A hashed password is a one-way process (depending on the strength of the algorithm, and I’ll explain that in just a bit). Unlike encryption, which is a process that takes some text, applies an encryption key to it, and can be decrypted using a matching decryption key, there is no “de-hashing” key. Mapping the password to the hashed output is not just done in reverse to obtain the password.
Some sites take the hashing process a step further and add a “salt” to the password before hashing it. The salt is an additional string of text to further obfuscate (isn’t that a magnificent word?) the text that produces the hashed result. The same salt will be added to the password input every time the user logs in, but adding that string of text makes it so much more difficult to figure out what input produced the hashed output. James could create a seven-character password, and Cheryl could produce a 12-character password, and the hash, salted or not, created with the same algorithm, would create completely different outputs of the same length.
Going Sideways
As computing power has increased, reversing hashes hashed with weak algorithms has gotten easier. Attackers have created “Rainbow Tables” of these hashes and the passwords that created them. This gives the attacker a list of actual passwords, which he can now use at other sites. If your username and password used at one site ends up on a rainbow table from one breach, the attacker is going to try that combination at other sites. This is called Credential Stuffing. Stronger algorithms have changed the relationship between attackers’ computing power and security. Computing power has not kept up with the newest algorithms, and it’s reasonable to assume that your bank, and other financial services companies, are using them. However, that protects THEIR stored passwords. It does not prevent an attacker from using a password from a rainbow table from another site’s stored passwords at your bank. That’s why you should not reuse your passwords.
What Should You Do?
Should you have a different password for everywhere you go? Yes. Yes, you should. How can you possibly remember them all? You can’t, if they’re good, strong passwords. The tool you need for this is a password manager, and I wrote about a couple of them here. You should let the password manager create your passwords for you, and you should listen to it when it tells you that the password it imported from your word document or your browser matches three other passwords you’re using, and you should go to that site and change those passwords.
You should also go to a site called Have I Been Pwned, and yes, I spelled that correctly. Troy Hunt has a list of compromised emails and the breached sites with which they were associated. You don’t need to stop using those sites. However, you should make note of everywhere your email address has been compromised, and go and change those passwords immediately.
There are alternatives to username/password combinations in large enterprises, but for websites, it is going to be a long time before we see widespread implementation of any alternative. Until then, the best we can do is use a password manager, let it create passwords for us, and avoid reusing passwords.