Ad Hide

All about passwords

Table Of Contents

Everyone uses accounts every single day; people share their thoughts, pictures, political views, and probably way to much for any soul to see on social media. We bank and do our taxes online, watch movies, play games, etc. And with all these accounts comes passwords. But we humans are a lazy bunch, trying to find the easiest way to remember passwords. The truth is, there is no easy way to remember passwords. The best password is one you can't remember.
A popular and very true statement on Reddit says: "If the media stopped saying "hacking" and instead said "figured out their password", people would probably take password security a lot more seriously".

One question always comes to mind when talking about password security: Why? Why would I have to go through all this trouble for my passwords? - I'll try to answer this question for two kinds of people reading this blog post.

Developers: If you really need to ask the 'why' question, you probably shouldn't be working with any kinds of user data. That being said, password security is of the utmost importance when developing websites, hosting servers or storing user data. When you maintain a website where people can enter their own data they trust you, and you are legally bound by data protection laws to do everything you can to prevent data breaches.

Anyone else: First of you don't want people having your personal data, period. Identity theft is a real thing happening more than any of us realise. It's also very dangerous and has ruined lives in the past. This all sounds very extreme and will hopefully never happen to you. BUT if someone is dead set on ruining your day, weak passwords are a great(?) place to start. Second, don't expect that every website has cutting edge security. Company's like Facebook and Google pay top dollar to white hats finding user data leaks. But talking out of experience, anyone can create a website but only a good and experienced developer can create a secure one. Think twice before entering every bit of personal information on that new website you just discovered.

How do they do it?
There are generally speaking two ways of gaining access to someone's account. (There are way more but that's a story for another time)

Brute Force
As the name implies they will be using 'brute force'. Essentially trying over and over again until they find the right password. Depending on the implementation, this can be a very long process. Modern sites prevent brute force attacks by adding limits to the amount of times you can try to log in, rendering brute force attacks useless. However, if Trudy gains access to the hashed passwords - more on this later - she can compare the hashed passwords with words from the dictionary or pre-generated lists of commonly used passwords (rainbow tables). But when developers use strong salted hashing algorithms which take a few hundred milliseconds to hash a string on current hardware, which on it's own is quick enough but in computer terms it's a lifetime. Again, rendering brute force attacks pretty much useless. (well, theoretically it's still possible but it could take lifetimes even on high-end hardware with strong passwords)

Social Engineering
Social Engineering is the psychological side of hacking. When systems become to advanced to hack/crack, humans are the weakest link in the chain. SE is the act of convincing a victim to reveal confidential information. Ofcourse, if you ask someone "What is your Facebook password?", you would probably have a 0% success rate. But if you create a chrome extension that gives users some neat features on Twitter whilst sending their login credentials to yourself, you will have a much higher success rate.

A more interesting side of Social Engineering is the act of figuring out a victims password by looking at their personal lives, or in this day and age looking at the victims social media accounts. This works incredibly well because as I said before, people are lazy. When choosing passwords most people will be looking at their environment for inspiration. For example, Alice is registering for a website where the password requirements are minimum 8 characters long, at least one capital and one number. Alice also has a dog named Blacky. And to make it longer and needs some numbers, she includes 123, so her new password is Blacky123.
When browsing Alice's Facebook, Trudy saves a lot of keywords and sorts them by popularity. She is also aware of the password restrictions and has a list of all the most popular number sequences. Then tries a few from the top of the list, which happens to be Blacky123. ( take a look at the most popular passwords taken from data breaches)

Words in general are to be avoided. They provide a false sense of security. When your passwords is "TerribleChosenPassword" you have a password with a length of 22 characters. Which on it's own is pretty impressive but because it's made up of three words it's essentially a 3(!) character password when cracking with an elaborate dictionary attack.

Some companies have good policies about passwords. They require employees to change their passwords every other month or so. However, this can lead to horrible habits. Employees writing down passwords on a sticky notes, or being printed for everyone to see.

Best Password Practice
  • Never use a password more than once
  • Never use words in your passwords
  • Always try to use special characters
  • Never write your passwords down, or save them in a plain text file, email, etc

All these requirements are easily solved by using a password manager. A password manager is a small program that generates long and secure passwords for you. It also stores and encrypts them for you and can be transferred to mobile devices as well. I personally use KeePass, a great, free, and open source password manager.

Everything up to this point everything has been about what you, as a user, can do to be as secure as possible. If you use a password manager correctly you are doing everything you can do as a user. From this point on it's up to the developers to do their job properly, so the rest of this blogpost is dedicated to the best password practices for developers.

Encrypting vs Hashing
We use encryption every day. It is the act of making data unreadable for anyone but the intended people. Encryption is very important and is the base of internet privacy. The best example of encryption is SSL, without SSL everyone in the same network would be able to see your network traffic. Essentially the same as entering a Starbucks and shouting your credentials to everyone connected to their wifi. But be carefull, not every website uses SSL yet. You can see if websites use SSL if their url starts with https:// or if a website has a green lock next to the url (take a look at this websites url).
The point of encryption is being able to retrieve the original message with a private key, this makes it not suitable for password storage. There is no need for a developer to retrieve the original password. You could be using encryption and be relatively safe, but that's just bad practice and can be catastrophic if the private key falls in the wrong hands.

Hashing on the other hand is the act of converting data into a relatively fixed length string. The key difference with encryption is that you are unable to retrieve the original message from hashed data. It is used to compare data with a known hash to see if said data has changed or not. With this we are able to compare a users password with a stored version of said password without using the actual passwords. Hashing is also used when downloading large chunks of data, for example Linux distros. You will always find a hash next to the download button so you can confirm the file has been downloaded correctly. Another requirement for a good hash function is that when even a single bit is different between two files the hash should be completely different.

When talking about hashing you should know about salting as well. A salt is a random generated string that's added to the original password string so the password is longer and therefore more secure. If Trudy somehow gets a hold of the hashed passwords and salts, she will be unable to use rainbow tables or dictionaries to retrieve the original password. And if a strong hashing algorithm is used, will never be able to figure out the original password. Every salt should also be unique to every user, this means that even if Alice and Bob use the same password the hashes will be completely different.

The main problem of hash functions is that when for example md5 was invented it was a cutting edge hash function and was implemented literally everywhere. But now hardware is much faster and after the discovery of some vulnerabilities in md5 it is basically worthless (as is it's accessor SHA1, which first hash collision has recently been calculated). The main problem with these compromised hash functions are hash collisions. This is when two datasets have the same hash. When for example Alice and Bob have a hash to verify if a message hasn't been tampered with, but Trudy intercepts this message, changes the message and generates a hash collision then sends it to Bob. Bob will then confirm the hash is correct and believe the message.

All hash functions are inherently vulnerable to hash collisions, this is due to the 'Pigeonhole principle'. Which states that if you have more pigeons than holes to put them in, you will eventually have to cram multiple pigeons in the same hole. The same applies to hash functions because we are generating a fixed length string from any possible input. The difference between a secure hash function and an insecure one is that it will be magnitudes more difficult for a computer to generate these hash collisions.

Hash Functions
At the time of writing this post these are the most secure hash functions in order of most secure first. All of these are very secure and you should always look up a recent tutorial for your programming language. I will try to update these lists as new hash algorithms surface and others perish.
  1. Argon2
  2. scrypt
  3. bcrypt
  4. PBKDF2
  5. SHA3
You should be avoiding these hash functions:
  • MD5
  • SHA1
  • SHA2
Your data is what determines the worth of today's tech companies, it is the gold of the computer age. Protect it like you would protect your gold.

Get notified!

Join the list and get notified when new blog posts are added!