How Safe is your password?
What brings me to ask this question? Well, I recently started my journey towards becoming a Software Developer and during one of my first lectures at the Flatiron School, my teacher showed us a neat little trick to compromise your potential password.
The concept was simple enough, do not store something, such as your password as plain text, and rather leave it open and encrypt-able. This was not new information, but I was finally starting to see how easy it could be to hack into someone’s account using very little effort. So, for my first blog post, I decided to dive into the topic of password safety.
Keeping your information private, it’s a never-ending source of anxiety. As technology expands further into our daily lives, passwords have become an essential element of our security hygiene. In layman’s terms: if you’re using only one password for all of your accounts, you are at risk of being hacked. So, how many passwords should one reasonable person have?
Number of passwords
In order to keep your information safe, it is best to keep different passwords for each separate account. Statistically, the average person has about three different passwords with varying strengths, usually in direct correlation with the amount of information being stored on the site. Like the average person, your twitter account will most likely have a less protective password than your email account. Your bank account hopefully has a different one from your email, and so on and so forth. So here comes the next question...
How many do we actually need, and how often should we update
Creating a new password every time you create an account builds up quickly. There are only so many memorable combinations of your favorite password, so what options do you have other than to write it down. (← this right here is where you start building bad habits) Writing your passwords down on a piece of paper has been compared to being about as safe as writing it down on paper, and displaying it from your front window. Experts suggest changing your password often, but that just adds extra annoyance to our online experience.
How often have you forgotten your password and needed to reset it? Did you even remember it the next time without jotting it down somewhere?
Keeping your passwords in your head simply isn’t realistic, and with approximately 1-40 different services/websites that require passwords, this leads to an increased need to re-set and re-use current passwords. Storing these passwords in unsecured files on your computer, or phone can also become problematic as there are malware programs designed to filter out files with the keywords “login” and “password.” I’m sure all Mac users have seen the browser generated pop-up password suggestions and rely on their machine to store and recollect this information, but they (the browser) are often targets of hackers and data breaches.
How exactly do hackers gain access to my password
Let's say there was a breach in Facebook. Your name, email and phone number were compromised along with a hash string of your password. Passwords are never saved as plain text within the database and are stored as encrypted hashes. So, in order to log in as you, the hacker needs to convert the hash back to plain text, which can be easy or close to impossible depending on the strength of your password.
The strength of your password is so important here because there is a way to crack simple passwords through a simple Rainbow Table which contains password hashes of numerous commonly used passwords and their plain text form. Here, the hacker can do a quick search and find out that the encrypted password hash actually matches that of a plain text password "123Text456". Scary stuff! Good news is, this table can only be used for the most common and simple of passwords.
On the next level up, we have Wordlist.txt, which utilizes a large wordlist and looks for matches. This is where the hacker can use the information you have provided about yourself to make a target specific search. The success/failure of this method lies in the quality of information you are implementing into your word list and how likely it is the user related their passwords to something in their life such as a pet, hometown, etc.
Finally, the big kahuna... BRUTE FORCE ATTACK! I just about fell out of my chair when I came upon this method. Here, each possible combination of letters, symbols, and numbers are converted into a hash form and compared with the password hash needing to be hacked (AKA yours) Once again, do not fret! This method, although able to hack any password can literally take F O R E V E R, and by that, I mean that the computer will estimate thousands of years to crack the code. Pffew!
If you feel like experimenting around with different password strengths you can check out how noticeable your needle is in the haystack.
https://www.grc.com/haystack.htm
Tools to help manage your passwords
So, let's make it a goal to ditch the notes, the half encrypted files in our computers or phones, and get some peace of mind with a password manager to secure your digital life. With a quick Google search, I came up with a quick list of potential managers to help you stay on top of your online security
Suggestions
From my research, I have concluded that the best option for optimizing online safety is relying on a password manager. Putting all your passwords in one location seems riskier, and like it would increase your vulnerability to malicious attacks, but there are pages and pages of articles defending such concerns. With multi-factor authentication and limitations to devices owned and registered to you, the access to your information has been greatly limited. I don’t use any of these, but figured I would provide you with a few companies to look into if you are interested in learning more about optimizing your password security.
-Keeper
-Blur
-Sticky Password
-Password Boss
-LastPass
And the list goes on...
I am inspired to start regularly changing my passwords to reduce my likelihood of being hacked, and I hope after reading this article you start thinking about adopting better password security methods.
So ask yourself, how many passwords do you use, and when was the last time you changed them.
Below are a list of links I referenced for my post:
https://www.cnet.com/news/the-best-password-managers-directory/
https://www.cyclonis.com/report-83-percent-users-surveyed-use-same-password-multiple-sites/
https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic
https://blog.malwarebytes.com/101/2017/05/dont-need-27-different-passwords/
http://project-rainbowcrack.com/
Top comments (4)
Great article. As I got tired of choosing a password, I made a simple python script that generates a random password with lowercases, uppercases, numbers and symbols. All I have to track is the seed to generate the password again. But I admit I'll be screwed if someone finds my script 😅
very curious now how various password-crackers use fuzzy string matching methods to predict likely password and/or cut down on processing time + power...
good read, thanks sofia!!
oooo yeah i might want a little demo from you on KeePassXC and why it's trustworthy to you :)
Awesome advice Brian! Thank you for adding that on.