In this digital day and age, most of us know what password is. It is a secret key or phrase that lets you have access to content which you otherwise will not be able to access. If you are online reading articles on passwords, you probably have a social media account or email-id and you just want to know how to keep your account safe. But before we talk about safety and security, let’s see things from a criminal’s point of view and how hackers can crack your password.
Now-a-days, most of the large corporations out there don’t store user’s password as a plaintext (human-readable format) in their servers, what they do is turn the human-readable plaintext passwords and encrypyt them with an algorithm. If it turns out to be low standard, it can be cracked pretty easily. A weird fact is hashed data dump costs more than plaintext passwords. Can you guess why? Because in modern world, websites which store passwords in encrypted form generally have more senstive content and thus have better avenues for hackers to gather sensitive information about you and data in your account.
To better understand how to keep strong passwords, we need to understand the various techniques through which hackers can get access to your passwords:
- Physical access: In this method, the attacker may see you typing your password or get access to some diary/log/journal where you have written down your passwords.
- Brute Force attack: This is the simplest but the most time consuming technique that hackers use for obtaining passwords. This is mostly used when every other password cracking technique fails. Here the password cracking programs try to use every possible combination of word numbers, letters and special characters like @!@#$%^&* etc to crack the password. This techqinue may not be very practical if the password contains different types of characters (e.g. lowercase letters, UPPERCASE LETTERS, Number from 0-9, Special Characters like @!@#$%^&* etc). Now-a-days, the only time brute force attacks may work is when the attacker is using a rule based attack, where the attacker can predefine some rules to the program, such as the length of password, the number of upper case/lower case characters, the number of special characters etc. And these rule based attacks mostly work in compromised bank statements and government data.
- Rainbow Tables: Let’s assume you have an account with company X who store their passwords in an encrypted format, so whenever you login with human readable plaintext username and password their system uses an algorithm to convert your plaintext password into an encrypted text and tries to match with the pre existing encrypted password on their database. If those two match then you are logged in. Now let us say that somehow company X’s password database gets leaked, so the first thing hackers will do is run the leaked hashes through a rainbow table. A rainbow table is a table containing list of commonly used plaintest passwords and the corresponding encrypted form of the password. Now most of us use same password for different sites so if the attacker somehow gets your credential from company X he can always log into your PayPal account if you are using same credential.
- Dictionary attack: In a dictionary attack, the attacker uses a dictionary of commonly used passwords and runs them through a password cracking tool. This is a much better since it tests for only list of most-commonly used passwords. Here’s some mental exercise for you. How do you think attackers find out the most commonly used passwords by people?
So, now the question is the best way to choose a secure password?
- Password length: Password length matters when the attacker is running a bruteforce attack. If your password is 8 or less than 8 characters, it can be bruteforced by powerful machines. Ppasswords with higher complexity (the amount of information in it, like upercase, lower case, symbols) are relatively safer. You have also make sure that your password can’t be cracked using dictionary attack. Long story short, don’t use common words in your password.
We got an interesting infographic on XKCD’s site which describes how to choose a better password.
Now from the image above you can clearly see that using a small password and replacing some letters with special character didn’t increase it’s complexity much and it is harder to remember. Bsing four common long words and just adding space increased the complexity. But then again, the password is still vulnerable to something called rule based dictionary attack.
- Diceware: The roll of a dice may sound random but nothing is truly random. Rolling a dice is pseudo random and hard to guess as well. There is a website “The Diceware Passphrase Home Page” established by Weinhold. The diceware list has 7776 words containing all the different combinations of five dice rolls. So when you want to get a passphrase for yourself you just roll an unbiased die five times and look up for the word mentioned in the list. But as the list can also act as a dictionary users are suggested to roll the die multiple times and come up with a passphrase with atleast four pseudorandom words.
Which of these methods ensure better security?
You can always use diceware and add random special characters to make it hard to brute-force, but random passphrase generator can do that for you. If you trust the computer, or you can always generate random string in your computer.
The following are some general tips for making a strong password:
- DO use a combination of UPPERCASE, lowercase, numbers and special characters.
- DO NOT use passwords of short length (try that it is atleast 8 characters long).
- DO NOT use commonly used words as passwords.
- DO NOT use your name, date of birth or other identifiable information as password.
Apart from this:
- DO change your passwords regularly.
- DO NOT use same passwords across multiple websites.
- DO NOT share your passwords with others.
- DO NOT write down your passwords anywhere.
Here a point needs to be made that you won’t be able to remember such “strong passwords” for different websites and that’s where password managers can help you. Read more about password managers by clicking here.
For Wikipedia entry on Passwords, click here.
For more posts on Cybersecurity, click here.
For more posts in The Cyber Cops project, click here.