Posted on December 6, 2018 by Greg Howley
The 2017 Equifax breach. 3 Billion Yahoo accounts. 110 million credit cards from Target. 500 million Marriott guests. 165 million LinkedIn accounts. It seems like not a month goes by where you don’t hear about another huge data breach from a major company. And each time, millions of users have their information stolen. I’m sure you’ve heard time and time again that you shouldn’t use the same password on your email that you use for Amazon and your bank account. But it’s so hard to remember all those different passwords! And what’s the harm, really?
If you’ve registered at Marriott as JohnDoe@yahoo.com and you used the same password that you use for your Yahoo mail, it’s not difficult for anyone who gets that Marriott login to access your email account. From there, they can get into nearly anything. If they want to buy things using your Amazon account, they simply go to Amazon and click ‘Forgot my password’ and use your email to change the password to anything they want. Ditto your Netflix and HBO accounts, and now you can’t watch Game of Thrones and Stranger Things. They might even get into your bank account this way.
Let’s say you used a different password for Marriott than you use on your email. But you used the same password at Marriott that you use at Facebook. So your email is safe for now, but it looks like somebody took that list of email addresses and passwords that they stole from Marriott and ran it through a script that tried to log into Twitter, Facebook, and LinkedIn using those same credentials. Now your Facebook account has been hacked, and 15 of your friends have been messaged that you’re stranded in London and you need cash quickly.
When you use the same password on every site, you’re putting all your eggs in the same e-basket. But remembering lots of different passwords is hard. You might find yourself resetting your password every time you log into NewEgg from a work computer, or when you try to stream Netflix from a new device. Then you have to go back and update the password on all your Netflix devices. It’s all so annoying. So what are your options?
Your Friend the Password Manager
Password managers such as LastPass or 1Password are many people’s go-to, and they work well. My wife has been using LastPass for years. I’ve also heard very good things about Dashlane, Enpass, and Keeper. Personally, I use an offline password manager on my phone called KeePassDroid. It’s encrypted such that even if anyone ever physically got my phone and logged into it, they still couldn’t get the passwords. I’m also able to keep my kids’ passwords in a separate categorized folder so that when they end up forgetting how to log into Minecraft, I can help out.
Aside from the password on your password manager, do you know what your most important password is? It’s not your bank account. It’s your primary email account. With that email account, a malicious user can reset all your other passwords. This is why you should enable two-factor authentication.
Two-factor authentication uses an app such as Google Authenticator, to provide you with a code. Any time you log into your account for the first time on a new device, you’re required to provide that code. Some services also allow you to set up two-factor authentication via text message. While this is convenient since you don’t need to install anything, it’s far less secure than an authenticator app.
Choosing a Strong Password
Everyone knows that you shouldn’t use “Password1” or “love1982” as a password. Twelve characters at a minimum, or 20 characters ideally is a good bet. But that doesn’t mean the password needs to be difficult to remember. The infamous CORRECT HORSE BATTERY STAPLE comic from xkcd is a great example of how the hardest passwords for humans to remember can be easier for computers to guess. You don’t need to use hard to remember passwords such as “h4rD_to-r3M3Mbr_pA55w0rd.” Instead, use a passphrase like “correct horse battery staple,” which has twenty-eight characters and three spaces. Also, any time you’re forced by everyday life to memorize a random number or letter sequence such as an employee ID number or a license plate, that makes for a great password snippet. Your password could be “myplate=993HUD” or “lived @ 123 sesame st.” To make it extra secure, add or remove characters. “lived @ 123 esame s” or “lived @ 123 sesme str.” Putting your actual past address in a password probably isn’t a great idea, but if it’s mashed in the middle of enough other stuff, you’re probably good.
Having non-dictionary words in your password such as “sesme” can help to avoid dictionary attacks.
Of course, if you’re using a password manager that auto-fills or pastes in your passwords, then randomly generated 20-character passwords are hard to beat. You’ve just got to make sure you’ll never be in a spot where you’re without the password manager and might need to log in.
To flip this whole thing, you know how workplaces make you change your password every 90 days? I memorized both my daughters’ social security numbers by using a portion of them as a snippet of my work password a few years back. So if the SSN was 123456789, I made my password “456789 GAMEOFTHRON.” Then I’d have to change the password and make it something like “456789 LUKECAG”. After typing that 15 times a day for six months, I had it memorized.
Rainbows and Hashes and Salts, Oh My!
If you’re the kind of geek that I am, you might find the technical end of the whole password business interesting. Normally when a website takes your password, it doesn’t actually store the password in plain text on their database. Instead, they store a “hashed” version. This means that they push your password through a cryptographic hash function. This type of one-way function will always have the same result, and cannot realistically be run backwards. So your password of “Qyut-kitn” may always return a result of “_u&,Qdwkw2j^.” The database stores only that nonsense hash. When you go to log in, the system accepts your password, which will always result in the same hash, and assuming the hash of your password matches the hash they have stored, you’re authenticated!
One way hackers fought back against this is by developing something called rainbow tables. If a password is six characters long, there are over a billion possible password combinations, but establishing a database with a few billion entries isn’t difficult. And once you have a rainbow table including a hash for every possible six character password, it becomes trivial to find the password if you have the hash. And those hashed passwords are often part of data breaches.
And so security experts began salting their hashes. They might append a different random string to each password before hashing it. So when I sign up for my hotmail account, with my password “WARMACHINEROX,” they might append “6^bb1n*IlS`” and store that beside my username. Every time I log in, I enter the password and the salted hashed result is compared to the hash of “6^bb1n*IlS`WARMACHINEROX.” Now, even if hackers get the resulting hash, it’s difficult for them to work with.
Please keep in mind that I’m not a network security professional. Although I find this all fascinating, I’m far from an expert. If you’ve read this far, you might find Cory Doctorow’s 45-page speculative fiction story Knights of the Rainbow Table to be of interest. It’s about an independent group that builds a massive rainbow table and brings about the end of passwords as a useful security methodology.
No actual passwords have been used in this article. Except for Rhodey’s password. That one is real.