Passwords

The importance of using strong passwords should be mentioned in any conversation about online security. Is using a strong password alone enough to protect your accounts - no, but having a weak password won’t do you any favours. We'll discuss what constitutes a "strong password" and how websites store passwords, and then we'll conclude with some recommendations for password managers.

The average person now has over 15 online accounts, ranging from social media such as Instagram & Facebook to email & online banking platforms. To deal with this major admin headache, users have resorted to using the same password for the majority, if not all, of their accounts. I’ll admit I have been guilty of this in the past (don’t judge). Naturally, the passwords are usually easy to remember and that often means weak- think CatDog1.

A strong password should consist of many characters - over 10 characters and you’re on the right track. They should also contain capitals, symbols, and numbers. An easy way to create a strong password is to use a password manager, which we’ll touch on shortly. Another suitable method is to create a sentence. e.g. £76-“The dog chased the cat around the house”.

As you can see this is a massive improvement on the CatDog1 password and is not particularly difficult to remember. Having said that, you may be filled with dread at the prospect of having to type this out every time you want to gain access to your account. There’s no rest for the wicked.

How are passwords stored?

An account provider with an understanding of good security practices shouldn’t be storing passwords in plaintext. Plaintext means that if anyone accesses the database, they can see your password, un-encrypted, in all its glory. If a hacker breaches the database, they’ll also be able to see your password..

To deal with this issue, websites usually store “the password hash” instead of the actual password. A hash generates a unique key from a value. These functions are one - way, meaning you cannot derive the input from the output, or in other words, once a password is hashed, it cannot be “un-hashed” by anyone.

The website stores the hash on its server, and when you enter your password into the login section, a hash is created and compared with the hash on the server eliminating the need to store plain text passwords. This is not without its issues as two different values could generate the same hash known as a “hash collision”. Different hashing algorithms present different risks of a collision, so it’s important a strong algorithm is used to minimize this risk - think SHA256. You can even use these algorithms to ensure the integrity of your files- I’ll cover this in a future post.

To further minimize the risk of a hash collision, websites often store hashes off a password + a salt. The “salt” is simply a few extra characters added to your password.

Adding something like +7623&" at the end of the password reduces the risk of issues if two users have the same password. This also works to strengthen the hash against rainbow table attacks in which hackers generate large tables of precomputed hashes to compare with stolen databases.

If the hacker can find a match between the rainbow table and the stolen database then the hacker can easily derive the original password and simply log into the account.

Password Managers

The key point to take away is to create a strong password and use different passwords for all your accounts. The problem now is remembering all the different passwords. This is where a password manager comes in.

There are two main types of password managers.

1) On device managers - credentials are stored on the device - an attacker would have to compromise the device to access the credentials. The downside is that your passwords are not synced across all your devices.

2) Cloud-based managers - Credentials are stored in the cloud and can be synced to any device. Naturally, this is less secure but depending on the provider this can be a suitable option. LastPass a major cloud-based password manager was hacked- simply google to read about the story.

For those using IOS and want a secure on-device password manager - consider Spectre formerly known as M.Password. You create a username, master password to create an account. To add password entries, you can enter the name of your account provider or any other identifier, Spectre then generates a password using a “stateless algorithm”, passwords are not stored but calculated. The cool thing is that you can download the manager on any other device - simply input your username, master password, and account provider and your password will be calculated, no cloud storage necessary.

For those wanting a cloud-based manager consider The Bitwarden Password Manager. Bitwarden is open source, and Bitwarden encrypts, salts, and hashes your information for secure storage.

Happy Passwording.