Passwords and security – why is it so hard to get it *right*?

I don’t understand why passwords and password management are so difficult for people…truly I don’t. Passwords are part of our every day lives. We use passwords for so many things in our day-to-day lives – to access our email, to access social media websites, to log on to our personal and work PC’s, to buy goods using our debit and credit cards.

Why then is it so hard for people to understand that passwords are incredibly important to get right and to keep safe?

There have been a number of discussion on websites I read, including on Reddit and Twitter, regarding password security. A lot of this has been based around a number of high-profile hacks that have occurred over the last year or so (such as the recent disclosure of EBay being hacked) and the possibility of password hashes being stolen, particularly if unsalted, which makes them very easy to get access to.

Now, I realise I may have lost some of you…not all of you are in IT, not all of you who read this are geeks like me, so bear with me. I’m about to explain what my above sentence means in plain English that I’ve borrowed from Simple Wikipedia.

Quoting:
“A cryptographic hash function is a transformation that takes an input (or ‘message’) and returns a fixed-size alphanumeric string, which is called the hash value (sometimes called a message digest, a digital fingerprint, a digest or a checksum).

The ideal hash function has three main properties:

It is extremely easy to calculate a hash for any given data.
It is extremely computationally difficult to calculate an alphanumeric text that has a given hash.
It is extremely unlikely that two slightly different messages will have the same hash.” (http://simple.wikipedia.org/wiki/Cryptographic_hash_function)

Salting passwords can provide some measure of assistance. Pulling from an explanation that a lovely gentleman by the name of Martin Suecia has given:

“A salt is simply added to make a common password uncommon. A salt value is generated at random and can be fairly small, the only purpose is to lower the probability that the hash-value will be found in any pre-calculated table. A common way to combine the salt and the password is to simply concatenate them, i.e. the stored hash value is Hash(salt||password). The common password password1 now magically becomes, e.g., 6$dK,3password1 and is very unlikely to be found in a table.”
(http://crypto.stackexchange.com/a/2010)

So stealing hashes isn’t too bad, you’d think. I’ve they’re not reversible, it’s not too much of a concern, right?

BZZZZZZT – Wrong.

Not all sites use salts in their password hashes, and it is possible to reverse a hashed password using rainbow tables. A rainbow table is “…a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.” (http://en.wikipedia.org/wiki/Rainbow_table)

This isn’t a good thing. This means that if your password is simple enough (e.g password1), it is possible for someone to reverse engineer it from just the hash. This means that even if a website stores the non-reversible hashes of your password, someone can still use a rainbow table and from that, get your plain-text password.

So, now that you understand a little bit of how passwords, hashes and salts work, let’s wander down the path of why it’s important to have a secure password and how you can keep it secure.

Many people think passwords are boring, annoying and time-consuming. They’re things you constantly have to remember, constantly have to change, constantly getting wrong and getting locked out of your accounts and having to do password resets. I get that. Truly, it isn’t that hard to come up with a memorable and secure password. What I can tell you is that having a secure password is very important because, chances are, you use that password in more than one place – sure, you’re not supposed to, but you do. And there’s also a good chance that the username or email address you’ve used with that password is the same on other sites.

So if someone can crack your password on ONE website…they could potentially get access to anywhere else you’ve used that same username/password combination. That could be your email account, your Facebook account, your Twitter account, your LinkedIn account. If they know you well enough to know your work email address (from getting in to your LinkedIn account) they could then try accessing that. If, in your personal email account, you have emails from your internet banking that include your account details, they could then get access to that…and start transferring money from your account, requesting a new credit card be sent to them etc.

From gaining access to one password on one website…just one…it’s possible for someone to potentially gain control of all your online accounts if you use the same password, which a large percentage of people have admitted to doing.

So knowing this, having different passwords for different websites is incredibly important. But, I hear you cry, that’s too difficult. I have *far* too many accounts on different websites to remember, how am I supposed to create a unique password for all of those sites?

There are a multitude of application and programs out there that are trusted and supported to look after your passwords. The following few are ones that I have either used or have come recommended to me. My only advice is, make sure the password you use to secure *this* account is one that you’ve never used anywhere else, will never use anywhere else and that you will never ever forget…because you don’t want to go writing this one down:

  • LastPass – my personal password manager of choice, synchronises your passwords up into the cloud and it means you only have to remember one password. I pay for a premium subscription because I use it on multiple devices, especially my phone, and the multifactor ability is incredibly useful (will discuss multifactor shortly!)
  • 1Password – have heard good things about this, a few friends use it. Can store other information, not just passwords. Only catch – it costs cash up front ($50US)
  • KeePass – if you only ever log into one computer, then KeePass might be the one for you. Stores your passwords locally, so they’re not synchronised up in the cloud, but it is free! I have used this and its interface is very nice and easy to use

 

Multi-factor authentication, mentioned above as part of LastPass Premium, can be a step in the right direction. It’s not just for LastPass though. Many places offer multifactor auth to secure your credentials. This can be in the form of your Facebook account sending an SMS to your phone to ask you to put in a code before logging in, Twitter sending a message to your phone so that you have to approve the login request, a video game such as World of Warcraft or Rift requiring you to put in both your password and a randomly generated key from a token so that you can access your account. I try to use multifactor authentication on every account that allows me to. This is purely so that I know that even if my password is compromised, I have that extra layer of security on some of my accounts. This has already come in handy a few times when someone has tried accessing things they shouldn’t…

Moving on slightly to password complexity, I’m somewhat against certain parts of it – I don’t believe that forcing a user to change their password every 30 days makes for a more secure password. All it’s going to do is force that user to have to try to remember something new every 30 days. Which (if they’re anything like my users) they won’t be able to do, so they’re going to write it down or use a very simple numeric to ‘alter’ the password (e.g. increasing a number on the end of the password each time). This in itself can weaken the password.

I also don’t agree with some forms of password complexity. While I do admit, having a complex password (one that includes lower case, upper case, numeric and non-alphanumeric characters) decreases the chance that someone will be able to guess (or brute force) your password, it can lead to people forgetting their passwords very easily. A really good example of password complexity (and it’s silliness) can be seen at the following two comics:

( XKCD – Password Complexity)
XKCD - Password Strength

1.00 FTE – Too Many Secrets)
1.00 FTE - Too Many Secrets

So, if I could only impart a few bits of wisdom from this post (also known as a TL;DR):

  • Passwords are incredibly easy to crack these days
  • Don’t use the same password on multiple websites
  • Use multi-factor authentication when you can
  • Look at using a password manager if you have difficulty remembering multiple passwords
  • Password complexity doesn’t always equal a secure password
  • Please please PLEASE do not write your passwords on PostIt notes!

Leave a Reply