Passwords, it seems like everyplace you go on the Internet someone is asking for your password. It’s not bad enough that everybody and their brother wants you to set up an account with another password, they all have different rules for your password. Must be at least 10 characters, must have capital letters, must have numbers, must not have any repeating characters … The rules seem endless and by the time you have an acceptable password, you have to write it down and save it someplace secure, like in your wallet or under your keyboard.

Don’t forget that it needs to be different from the other two hundred passwords you have just in case this site gets hacked and they try your information on another site. When I’m trying to setup a bank account I appreciate the security. When I’m trying to order a pizza, it’s a hassle I can do without.

Then there’s my personal favorite, the security questions. In case you forget your password, they’ll ask you some personal questions that only you and all the people reading your Facebook page will know. Once you’ve established who you are, they reset your account and send you a new password. This works unless the hacker already has your computer or smartphone. Once your email account is hacked it’s all over.

At last count I had 108 different accounts requiring passwords.

Let’s step back just a moment to consider how your passwords are used. When LinkedIn got hacked, you saw a lot of articles saying that the hackers did not get the passwords, they got the hashes. A hash is a mathematical transformation of your password. If you assigned a number to all the characters in your password and then added all the numbers together, that would be a hash. That would be a very poor method to produce a hash because a number of different passwords could result in the same hash.

To avoid that, it’s highly, very highly, recommended that you use a standard,  proven algorithm to generate a hash. The folks that hacked LinkedIn probably had to run passwords through a number of different hash algorithms until they had a match. Now they had a password that would generate that specific hash and could be used for that account. In most cases a company will add a random number to your password (they call this a salt), so that different hashes result for the same password. This is where LinkedIn went wrong, they forgot to salt the passwords.

Without salt, everybody using Password123 ended up with the same hash, allowing the hackers to concentrate on the most frequent hashes. Get one password, you have 100 accounts. Here’s an important point, if is handling your account properly, they can’t tell you your password. They should only have the hash of your password, not the password itself. Their only option is to reset your password.

Your password is secure isn’t it? With a seven character password, if you guessed a 1000 passwords a second it would take about 32 years to guess all the passwords. So why force you to remember 10 characters? First, it’s unlikely that the hacker will have to try all the passwords before they come to yours.  Second, because of all the passwords you do have to memorize, you make simple on yourself. Your wife/child/pet’s name followed by a date or their age. A movie character and their birthday, the make and date of your car. Capital letter on the front, numbers on the end?

To save themselves time, hackers have already compiled lists of these possibilities and run the hashes. Want to use l337sp3ak? Excellent, the hackers would never think of that.  I’m guessing your passwords don’t look like nhyVWDNww0FToFzCjbkW (that’s an actual password from one of my accounts). If your password makes sense, it’s probably on a list somewhere.

On the other hand, I certainly can’t remember nhyVWDNww0FToFzCjbkW either. I use a password manager that allows me to store all my passwords under a master phrase. Of course if someone ever guesses my pass phrase, my life is over. There are several very good password managers out there. I use KeePass because there are versions of it that run under iOS, Windows 7 and Android. I store the encrypted database in my Dropbox folder and I can access accounts from all of my devices. Just remember, if you lose that passphrase or corrupt the database without a backup, you’ll be rebuilding your digital life for a long time.

It should go without saying that no matter how good your password is, you should never give it out without knowing who you’re giving it to. If someone calls you about your account with ThreeHorsesWest Bank, hang up and call the bank directly. If you get an email about your Tera account, delete it and go the Tera website directly. Never, ever, follow the link on an email where you might give account details.

According to my logs, over the last year there have been well over twenty thousand attempts to guess the password to this website and this website is nowhere near as important as your bank or email. These are not bored teenagers trying to have fun, these are carefully crafted programs trying all the entries in their database to guess your password.

I have a neighbor, we’ll just call him George today. I don’t know what George does except hang out at the local feed store but he’s got an idea for a password evaluation service. Send him your account name, password and the website URL. He will evaluate your password for free and let you know if you need a more complex password. I’m guessing he will be a millionaire or a permanent guest of the state before the end of the year. What do you think?


© 2013 – 2019, Byron Seastrunk. All rights reserved.

%d bloggers like this: