I was in a discussion about passwords a few days ago when somebody mentioned that it was a good idea to change your passwords frequently. That sounds good on the face of it but if you have a strong password should you change it frequently? It’s that frequent changing that causes us write them down or to select very weak passwords so we can remember them.
Come to think about it, what about the other rules? It must be eight characters or more, must have at least one capital letter, must have a numeric character, must have at least one special character… Wow, no wonder we write them down. It seems like every time I order something on line I have to set up an account and create a new password. Last time I looked I needed slightly over one hundred passwords.
Who’s coming up with all these rules? Do they actually improve the security of your Facebook account? Watch enough movies and you wonder why bother, most of the time a well-trained hacker can break your password in less than ten minutes. Hollywood may be stretching the truth slightly but how long it takes is up to you. Use your pet’s name, your child’s name or a birthday and they probably can guess it in less than ten minutes. Use a well thought out password and the hacker will probably die of old age before they guess your password.
That’s not to say your account will never get hacked if you use a strong password. You can still fall for a phishing scheme, get infected by a key logging virus or use an open Wi-Fi that’s being monitored for passwords. In fact, you’re far more likely to be hacked by one of these methods than by someone guessing your password, as long as you are using a strong password.
What makes a strong password? Following all the rules doesn’t mean you will end up with a strong password. “Password10172001” follows all the rules but is fairly to guess, especially if you’ve posted your anniversary on Facebook (I will give you kudos for coming up with a way to never forget your anniversary). Understanding how your passwords work would certainly make it easier to come up with a strong password.
If you have equal probability of all the upper and lower case characters plus all ten numeric characters and, for good measure, add eight special characters, you have seventy characters to choose from for each character in your password. That would give you 167,961,600,000,000 possibilities for your password. With a very fast machine capable of making 100,000 attempts a second, it would take 1828 years to attempt all possible combinations. Make it nine characters and you’re up to 128,000 years.
Feel safe? Unfortunately all those numbers give you a false sense of security. A hacker doesn’t have to guess all possible passwords, they only have to guess your password. While I’m fairly sure your password is not “1OiVjt2z”, starting at “00000000” our fast machine above could guess that in about 50 years. Think we’ll all be doing DNA samples by then? Maybe, but as I said, your password isn’t “1OiVjt2z” either. Statistically speaking there’s a much higher probability that it’s “Password” and that would be my second guess.
If that failed the hacker would try your name, your family’s names, your pet’s name. You get the picture, they don’t have to use a brute force method, they only have to make a few educated guesses. Now you know why your account gets locked after a number of bad guesses. This is also the reason that delays are often introduced into the verification method. It’s really hard to make 100,000 guesses a second if it takes you a second per guess.
With a little common sense in picking your password it’s unlikely that you will fall victim to a frontal assault. You should never share your password or let anyone watch you enter your password.
Sorry, I know you would never share the password to your bank account but surely there’s nothing wrong with sharing the password to your HBO account. Think about the password you use for your bank account and the password you use for your HBO account. Do they have common words, a common format, numbers based on similar factors? These similarities make it much easier for someone to make some very good guesses about your bank account password.
It sounds like you have very little to worry about as long as you’re careful in your choice of password and that would be true if the only way in was through the front door. As many of the people with Ebay accounts are finding out, the hackers don’t always use the front door.
A few details might be helpful here. On a site with good security your password is not stored as a password, the hash of your password is stored instead. That’s why a site can’t send your password to you. All they can do is reset your account and give it a new password. What’s a hash? A hash is your password converted to a number in such a way that each hash represents one and only one password and can’t be used to regenerate your password.
When you type in your password, it’s converted to a hash that’s compared to the hash on file for your account. Simple and your password is never exposed.
The thing about hashes is that it really difficult to ensure that you can’t reverse it to generate the password and still only get one unique hash for each password. It’s far better to use one of the verified and standardized algorithms to generate a hash.
Here’s where the problems come in. When a site is compromised, the account names and hashes are taken. Hackers then compare the captured hashes to a list of hashes generated using a list of common words, phrases and numbers. This list is called a rainbow list and because multiple computers are adding to these lists all the time, relying on it taking fifty years to generate all the passwords up to yours is meaningless. Once they have the hash, if your password exists on a rainbow list, your account is as good as compromised.
Leetspeak, common misspellings, slang, all of these make their way to rainbow lists. If the server has been compromised and you’re using common words or names, your account is at risk. The numbers, uppercase letters and special characters are attempts to make rainbow lists useless. It works too, if you choose “pAS57swo!rd”. The hacker’s money is on you using “Password57!” and it’s probably in a rainbow list somewhere.
Companies are supposed to inform you when they realize their server has been compromised but given that they were hacked, it might take them a while to realize somebody downloaded their customer database. Fortunately, in this case, numbers are on your side. The more uncommon your password is, the less likely it is to exist in a rainbow list.
Sometimes I have to admit I’m wrong, unless your password looks something like “sHaCe2K1kfI4Npbxw6Ke”, it is probably a good idea to change your password on a regular basis. Unless you can remember a hundred passwords with twenty random characters, you also need a secure way remember your passwords. A slip of paper under your keyboard is probably not a good idea, even if you were tricky and wrote it down backwards. I use a password manager.
One last word of caution. Most accounts allow you to reset your account by sending an email or a message to your phone. Often they ask you some prearranged questions to verify who you are. It’s unfortunate that the answers can often be found with a little research. Once they have access to your email or cellphone, hacking the rest of your accounts becomes a matter of time.
Protect your phone, protect your email, strengthen your passwords, I don’t have enough readers to lose any of you to identity theft.
© 2014 – 2019, Byron Seastrunk. All rights reserved.
The number of passwords we need to get through the day is mind numbing so after reading your blog I spent, what I consider to be, an obscene amount of money on 1Password to help me harness this beast. I’ll let you know how it goes……
I guess using my grandsons name and date of birth is bad? And all across all the places that need passwords?
Just joking, Byron, it is a good subject and people do need to be aware of all the online security they(we) can get.
Thanks for the reminder.