Passwords. Our access to the internet, to the services we need every day …. and a hindrance when we can’t remember them or we have to reset them. And when we do, we have to use upper case, lower case, numbers, symbols and it must be at least 8 characters long….it seems just too much at times.
But passwords are important. They are our security. They protect our data – they safeguard our money and identity.
Safeguarding your passwords
A lot of work goes into safeguarding your passwords, or at least it should. It seems that several times a year there is a story of a hacker getting hold of a database (usually from a large organisation) where the passwords are readable – they have been stored in plain text.
Most protection is based on time. If we can make the process of cracking a password too long to be profitable then it is reasonably safe.
Hashing Passwords
Secure systems, don’t store your password either in plain text or encrypted. This is why you have to reset your password as it can’t be retrieved. What is stored is a hash value of your password.
A hash function is a function that will take some arbitrary data, such as your password, and map it into a fixed-length value. For passwords, a one-way hash function is used – usually a cryptographic hash function. This means that while you can calculate the hash value from a password you cannot work out what the password was from the hash value. Also the output is hard to predict.
the hash of the SMXI (using a hash function called scrypt is: f84162196901216473984f4d2490928e while SMXi is: 008051bff7e24047bf56e331c804b5ff
If the database that stores your password is compromised, the hacker cannot simply read your password. Even if they know the hash function used they will have to hash a huge number of passwords (know as a brute force attack) to find yours. As the hash value is a fixed-length it cannot even be used to work out how many letters there are.
This adds quite considerably to the time taken to break a password.
Rinse and Repeat
This is not the end of it as the password is hashed many times to get the final value. The password is put through the hash function and the result is hashed again, and that result is hashed again …. and so on.
In fact, in hashing your password to store it or for validation time isn’t important (you probably won’t even notice a few milliseconds), but for slowing up a brute force attack it is critical.
Salt and Pepper
One issue is that if 2 people share the same password then the stored password hash will be the same for both. An additional problem is that password crackers also use Rainbow Tables (these are pre-computed hash values that speed up the cracking process).
The answer to both these problems is the use of a Salt. This is some random text added to your password and is different for each password. So rather than simply hash “MyPassword” we would ‘salt’ it “xjv5$1.MyPassword”. This means that people with the same password would have a different hash stored in the database as they would each have a unique Salt.
Peppering works in a similar way but rather than have a unique value for each password it is the same for all. The difference is that it is secret and stored externally to the database, say within an application.
So my passwords are safe then?
While developers do what they can to safeguard your passwords it is up to you to help. Common passwords shouldn’t be used. A recent analysis found:
- 0.5% of users have the password password;
- 0.4% have the passwords password or 123456;
- 0.9% have the passwords password, 123456 or 12345678;
- 1.6% have a password from the top 10 passwords
- 4.4% have a password from the top 100 passwords
- 9.7% have a password from the top 500 passwords
- 13.2% have a password from the top 1,000 passwords
- 30% have a password from the top 10,000 passwords
I won’t get into complex password rules here but will say that size is everything. The longer your password the more secure it is. In a straight fight between length and complexity (upper case, lower case, number, and symbol) length wins every-time.