If you’re reading this you may have been sent a link to read this. Whoever sent that to you just wants you to be informed. Good news, the sky is most likely not falling in on your digital existence. However, the likelihood is that you need to take some actions to make sure you are secure and protected as much as practical online.
Over the past week, months, year, take your pick there has been a series of significant website hacks resulting in large volumes of old and current passwords – and usernames – leaking to places that researchers and hackers alike have had access to them.
It’s ok you say! Your account wasn’t compromised, and we are thankful of that, but are you sure that you are not vulnerable to existing or future hacks? Do you have good password habits? Are you really as safe as you can be?
If you’re not sure if you’ve been affected by a hack there is a handy website that will tell you if your username appears in any known database leaks. You can check out Have I been pwned and try your email account. This isn’t definitive so an all clear doesn’t mean do nothing but if you have been compromised, now is the time to learn a bit more about how passwords work, and how you can improve yours.
Good and strong password habits are not a joke, they are not a scare tactic used by the media to get clicks – although they can sometimes be used in that fashion. Good password habits can make all the difference it could mean you’re completely safe or only compromised on one site.
What are good password habits?
You have probably all heard what they are before. However, no matter how many times we all hear them or read them, the evidence suggests that the vast majority of online citizens are not implementing good password habits.
This is by no means an exhaustive list, however, if you did all of these things you would be safer than most other people, and perhaps cracking your password might just be too much work (we’ll cover how passwords are protected and cracked later):
- Every (I said every) password should be unique. Re-using passwords is a significant risk.
- Longer is better; how long 6, 8, 10? 13 or more characters means you’re unlikely to be an easy target, but there is an argument in using as long a password as a website will accept. Some places are notorious for limiting users to 8 character passwords (or less!)
- Stronger is better. A strong password is generally one that uses letters — both capital and lowercase, numbers and if allowed by the site, symbols (e.g. $#@)
- Change your password somewhat regularly, but not predictably.
- Use two-factor authentication everywhere it’s offered (more in this later)
That’s the password do’s, how about password do not’s?
- Do not share passwords with anyone, ever (outside of a good password management app)
- Do not write passwords down where they can be found (keeping them anywhere less than a safe, isn’t safe)
- Do not reuse passwords (yes we’ve written it twice as it’s that important)
You’ll note that unlike other X things you need to know about passwords articles we haven’t said “make them hard – but memorable” or only worry about your important passwords. Know why? We think that’s bad advice. In the modern world, the leaking of data from an innocuous website could make it easier for someone to access your other more important accounts, either through a direct hack or by using the info they’ve gained to try to get more information from you.
Are you 5u93r 5n34ky (super sneaky) with your passwords? Have you got a system that produces simple passwords that are impossible to crack? Guess what, most of these little systems aren’t as clever as they might appear; if you’ve thought of it, chances are hackers have too.
Each password breach gives hackers (and researchers) a larger and larger data set to work with to use machine learning and big data analysis to determine common patterns for passwords. Thanks to this analysis, hackers are able to algorithmically predict and generate common passwords to test against. The more common or predictable you password the more likely it is to be tested against in case of a breach.
You could use random passphrases using a substitution cypher e.g swapping % for d, or ! for o for example (don’t do the obvious s = 5 or $ the hackers know those tricks). If you use this technique a nonsensical phrase like “1 Cows 4 Drive Asteroids” becomes “1C!ws4%riveAsteri!i%s”.
1C!ws4%riveAsteri!i%s it is long – tick, uses letters, numbers and symbols – tick and if you make one for every website is unique – tick. Do you feel like remembering one of these for every site (yes EVERY site) you use and typing them in all day long? What this leads us to is this: unless you have an eidetic memory you’re going to need some help staying secure.
We want to make a brief mention of the “Log in with X” style log in options, e.g. Log in with Google or Log in with Twitter. These options are generally secure as the end website never gets a password, rather your chosen social network (or other login) authenticates you to the 3rd party site you’re logging into. Of course, you’re only secure if that service your logging in with is protected with a strong password!
Use a Password Manager
There are a couple of really good options for password managers that are available including Enpass, 1 Password and LastPass. Each has its own pros and cons depending on your use case; we’re going to recommend you do some reading and research to make a well-educated decision on what will suit your needs best.
For anyone who isn’t familiar with them, a password manager is a location or database (online storage usually) where all of your passwords are stored. Then there are options on the way that you can interact with it. Most people allow their password manager to autofill passwords for sites on their own personal machines and this has multiple flow-on effects that can assist you in staying safe online.
- You can have very strong, random passwords that you won’t remember that are unique to every login you have.
- Because you’re not typing your passwords in every time you log into a site, on the chance your machine is compromised (or you have a nosey network admin) by a keylogger, your passwords will not be captured by third parties.
- The top password managers are cross platform and have browser plugins that mean you’ll never have to remember all your passwords, just make sure that you’re using a really good password and for the sake of your sanity and online security please: Turn on ALL of the security options including SMS account recovery and 2 Factor Authentication
Hopefully, the risk of a password manager account being hacked is clear, but to spell it out: If the password manager got hacked every account you have in a password manager (as well as the password manager itself) would need to have all their passwords changed.
Additionally, you would need to ensure that all settings are as they were, and had not been changed, such as mobile phone numbers and recovery email addresses. Changing or adding to these are often how a secondary attack can occur if you don’t check them when you reset your password and assume your account is secure once again.
On the plus side, the way most online password managers work is thought to be fairly secure. Lastpass, for example, encrypts your data locally and the plain-text passwords are never sent in the clear. Further, unless a hacker was able to gain your Lastpass password (more on this below), it is thought that there is simply no way for them to decrypt the information Lastpass has; their system was deliberately designed this way, from the ground up, and theoretically at least, the premise is sound.
Better yet, most password managers offer a 2-factor authentication option, and we strongly suggest you make use of it. What’s 2 factor?
What is 2 Factor Authentication?
2-factor authentication is best explained like this — it adds an extra layer of security to things protected by usernames and passwords; it combines something you know (your username and password) with something that you have (a secure code generated by a token, received by means of an SMS message on a mobile phone, a code generated by an app, etc). The technology isn’t new, but it is becoming more widely adopted, and you should adopt it too (where it’s offered).
If you’re interested in a good resource for finding out which of your websites and services support 2FA, TwoFactAuth is a fantastic resource to find a large, but not exhaustive, list of online service providers.
This layer of security is considered very secure, but it isn’t infallible. It is possible, with a bit of social engineering, for someone who has your username and password, to trick you into giving up your two-factor authentication code, and then it might as well not be there at all. We covered an incident the other day of a group of unknown hackers who were sending preemptive text messages to victims telling them that a hack was underway and that if they wanted to “lock” their account to reply with the 2FA code. People who did this actually just handed over the keys to their account and would have quickly found themselves locked out.
Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC
— Alex MacCaw (@maccaw) June 4, 2016
Hackers are getting more cunning and we all need to have our wits about us. The best passwords and security won’t protect us if we get socially engineered into handing over the keys to our accounts.
For Android users, there are a few options as far as an app for 2 Factor Auth, Google Authenitcator and Authy which both operate essentially the same way so choose your weapon. Some services don’t require the use of an app, and offer 2FA through their own app — Facebook, for example, will send you an SMS message or a push notification when you sign in from somewhere unfamiliar (if you enable it). Banks often have a similar option for transfers over a small amount.
If you’ve got this far we ask you to pass this on to people who you think would benefit. Good password habits are akin to a lifestyle change, you can tell your friends to stop smoking but only they can choose to do it. Perhaps it’s you husband, mother, best friend or children who you think may benefit from hearing this one more time. It’s time to pay it forward, not just forward. Instead of just forwarding this onto them offer to spend a night, a day, a weekend to help them get safe online.
If you want to know more about password security and how they are protected and hacked read on.
Why do I have to do all this? Shouldn’t websites keep my passwords safe?
Yes, yes they should, and beer should be free after the 3rd drink and politicians shouldn’t be lying douche bags. Unfortunately, we don’t live in a world of should.
Password reuse and simple passwords.
Even if a website hasn’t been compromised if you reuse the same password hackers can take your password from another site that has been compromised and use that to log in to other sites, and if they get your email they can simply reset all of your passwords and you’re a goner.
A similar thing can happen if you use a common or “machine guessable” password. If just one website has poor security that doesn’t protect against a brute force attack (simply trying password combinations over and over again) you are more at risk of getting your password compromised. If you reuse that password you’re in double trouble.
Just in case you think only bad companies would fall for this, remember the big iPhotos celebrity photo leak a few years back? Google “the Fappening” if you don’t.
According to security researchers, that hack was a simple brute force attack as Apple’s system wasn’t built to protect against it. We didn’t choose this example to bash Apple. Moreso, if Apple, one of the biggest and best equipped digital properties, made this mistake dozens of others did, and still do.
How are websites protecting my passwords?
A good online service will protect your account and password through multiple ways. Firstly they will try and stop bad actors getting into their database and stealing the database but let’s face it, with social engineering, zero-day exploits and numerous other nefarious attack vectors we have to assume that some websites are going to get hacked.
Hashings
Hashing sounds like something that happened at Woodstock or in a glaucoma clinic but it’s not. Nor is it making the database look like passwords are stored as hashes eg. #########. This is a basic overview of hashing and has been simplified to make it understandable. What we are after here is a communication of the basic process and why it’s used.
Hashing is technically turning a string (a string is a series of characters) into a fixed length mathematical format. A hash generator takes a word like “Ausdroid” and turns it into “16c3518adbbdb0997e36b104dcd094ac032ab26f” (that’s a real SHA-1 hash conversion). The website stores that “hash” and not your password so if hackers do get in they don’t have your password, just the hash of it.
The easy way to think about hashes is kind of like a sausage machine; they’re a one-way mathematical function (or series of them) which turns your password (the minced meat) into a numerical hash (the sausage). Feeding the sausage back into the machine doesn’t give you the minced meat back, just a god-awful mess. The same with a hashing function; they don’t work backwards.
So when you log in and send your password the website hashes your password again, compares it to the stored hash and if it matches you’re in! Simple. Right? Kind of.
This method has several problems. Firstly, everyone with the password Ausdroid (we like to think this is a popular password) will have a hash of “16c3518adbbdb0997e36b104dcd094ac032ab26f”, so if hackers get a hold of the database of usernames and hashes they can either “brute force” passwords by running them through the hash generators until they get a match, or more popularly, they build a table or database of passwords and then compare the stolen hashes to that table.
This is where having long, complex and non-standard passwords could save you. It’s impractical for hackers to literally have a database of every password from a to XXXXXXXXXXXXXXXXX, and every combination of lowercase, UPPERCASE, numbers and symbols in between. So if you using that random password generator set to 15 characters as an example, it just might not be worth the hackers time to go after you.
However this doesn’t sound very strong does it? If we are all using a known algorithm to create our hashes and the hackers can just make a table to defeat it what else can we do? Perhaps we can spice up our protection with some Salting.
Salt
If you’ve ever read about stolen website databases you may have come across the term the passwords were Hashed and Salted. We just covered Hashing, but what is Salting?
Salting is the process of adding a “string” to every password before it is hashed and stored. Again for those who know this in depth, this is a basic explanation. But simply adding “B” to every password wouldn’t work as the hackers would eventually figure this out.
Instead, what Salting does is generate a one-time, random string typically from your username, or something else relatively unique, mixed in with a random number from some other source of entropy. This sounds like a lot of gobbledigook and it is; basically, if you ran [email protected] through the salt generator 10 times you would get 10 different results. That’s the point.
The salt is then added to the password before running through the hashing algorithm, before the salt and hashed string (minus the plain-text password, of course) are stored in an authentication database. This makes a database lookup attack effectively useless. Even if every user had the same password, the likelihood of any hash being the same is as close to 0 to make it an almost mathematical impossibility a non-issue for our purposes.
It works like this, here is an example of how just our hashed password is stored for our username [email protected] and password Ausdroid, and username [email protected] and password Ausdroid.
Username | Password | Hash |
---|---|---|
[email protected] | Ausdroid | 16c3518adbbdb0997e36b104dcd094ac032ab26f |
[email protected] | Ausdroid | 16c3518adbbdb0997e36b104dcd094ac032ab26f |
As you can see because we used Ausdroid for both of our password the hashes match exactly.
Now let’s add the salt based off the username:
Username | Password | Salt | Hash |
---|---|---|---|
[email protected] | Ausdroid | cc5f82f3bf2d798033383b99c2d0171aaa840a32 | ada29aa88c4994690b11ebd391fd6d99d102ac99 |
[email protected] | Ausdroid | 5872974ef2d3750e8cca3bd12bf95b8d476d66f0 | 30f80b5e2e1fad9e3e297ecb0135e9c863d28a5f |
Now our stored password Hash is unique even if we have the same password. Hang on I hear you say, the salt is stored in the database. The hackers will just use that won’t they? Yes, yes they will, HOWEVER, this technique renders a database look up attack completely useless, forcing attackers to brute force each and every password on the list. This is significantly slower, and reduces the chance of a successful breach.
Slow down there hacker
Ok, the hackers have got the database, it’s been Salted and Hashed but they are determined so they are going the brute force route. How long will it take?
Unfortunately, a modern high-end graphics processor can compute billions of hashes per second at a minimum. That’s billions with a B, people. Hackers using botnets or multi-GPU rigs can significantly increase that number.
The truth is no-one fully knows how long a password would take to break, what we do know is all the factors mentioned above size, randomness, character type significantly increases the complexity of the stored password, and thus the time required to break it.
How can we slow down would be password crackers? By following the steps we’ve outlined. Don’t use dictionary words. Use different passwords. Use things with weird characters and symbols. Ideally, use a hash function that is specifically designed to be rather slow to run; some hashes are calculated significantly more slowly than others, and you want your system to use those slow hashes. This significantly increases the amount of time required to break even one password, even with specially designed hardware and software routines.
Encryption
The final step in protecting an account is using another secret key or encryption method to encrypt the hashes. This is achieved by either encrypting the hash itself or including the ‘key’ in with the password and salt before hashing.
The issues for this to be effective is that the key has to be accessible for daily use by the system but not accessible to hackers following an attack. To secure against this the Key has to be kept on a separate non-connected system.
There are various ways that this can be implemented, either in a dedicated external server or an attached hardware device that is unlikely to be hacked. A common method for doing this is to use the Advanced Encryption Standard (AES) which typically has 128, 192 256 bit encryption keys.
In the end, it’s up to each of us to stay safe
That’s the basics of how your password is secured and or hacked. Like all basic explanations it is very simplified, much of the details and nuance of how it really works has been skipped or overly simplified.
This was not intended to be a how-to guide on implementing password encryption, it is a users guide to understanding the types of protections is use. Next time one of your accounts is leaked in a database leak you’ll know what the reporter means when they say the data was Salted and Hashed and protected by 256 bit AES encryption.
In that ideal world all websites would implement all of these security protections, but in actually there are still some websites that actually store user’s passwords in plain text or “in the clear”.
Online security isn’t easy if it was everyone would implement these features, however, we are now entering a time where anything less then this type of user protection is bordering on negligence. I wonder how long until a lawsuit is brought against one of these online entities.
However until we do reach a day of near ubiquitous password protection it’s up to us to adopt good password habits. And remember tell a friend, help friend the more people who have well protected the less benefit there will be in hacking.
This article was a collaborative effort of two of our writers, Duncan Jaffrey and Phil Tann.
Yea after hearing about the Linkedin hack, finally bit the bullet and changed all my passwords with one of those password managers. It’s a little annoying when I have to type long passwords manually into the computers at uni but just having that piece of mind that there’s that little bit of extra security is worth it.
Excellent stuff!
A follow up article comparing and contrasting popular password managers with their pros and cons would round everything up nicely.
Very good article. Keepass is a good free password manager.