Why We Get Passwords So Wrong And How To Fix It
We know that cybersecurity is a growth area in the technical world and a cause for concern, investment and research for governments, research institutes and businesses globally. One of the most important ways to protect ourselves, our information and our companies is a strong and consistent password strategy. Too often I see or hear of people that reuse passwords and companies whose own policies decrease the security of their systems. This article will explain how passwords should be securely stored on a system; ways to tell if your password is not being kept securely; how you can improve your password strategy for easily memorable and strong passwords that are different for every login; and for ways to improve password policies for system owners.
How Passwords Should Be Stored On A System
When you set a password on an account, especially online, there are three main storage options that a system owner may choose: plain-text, encrypted and hashed.
If a password is stored in plain-text then somebody accessing the system, with permission or without, will immediately be able to see all the passwords.
The second method, encryption, is slightly better, but still not good. Here, your password will be transformed into an unreadable string of characters. However, encryption is reversible. This means that it will be possible to decrypt your password back to its original form. An ancient type of encryption is a Caesar Cypher where characters shift a certain (pre-agreed) amount. If we agreed to shift letters by one, ‘p’ will become ‘q’, ‘a’ will become ‘b’, and ‘password’ will become ‘qbttxpse’. Even with modern encryption techniques - which are much stronger - it is possible to reverse encryption revealing your password.
Hash
| Password | End hash |
|---|---|
| password | aaf58b |
| password | aaf58b |
Hash + Salt
| Password | Salt | Concatenation | End hash |
|---|---|---|---|
| password | 1066 | password1066 | 71cb92 |
| password | 7864 | password7864 | 01d604 |
Instead, passwords should not be stored at all; they should be salted and then hashed with the hash securely stored. This process will convert your password into a non-reversible unreadable string of characters that is unique (or unique enough). A hashing function is a one-way mathematical calculation that results in a hash. Using the function, we can get from a password to a hash, but there is no way back from the hash to the original password. To test if I typed my password in correctly, the system will take what I typed and apply the hashing function and see if the resulting hash is the same as the hash stored on the system. The problem here is that if I (poorly) choose the password ‘password’ and so do you, then if we apply the hashing function to our passwords, the resulting hash will be the same. This could be enough information for a hacker to work out what the underlying password is (for example by looking at how common some hashes are in the database). This is where salting comes in. If we add our unique (or unique enough) salt (which is usually just a randomly chosen number for each user) to our password then we will end up with a unique hash. It is technically possible but mathematically infeasible for two separate passwords and salts to result in the same hash. If it becomes feasible, then the hashing function will be depreciated (see MD5). See the diagram for a simplified example.
One way that you may be able to work out if a system is using either of the plain-text or encrypted methods is when you use a ‘forgotten my password’ link. If the system ever sends you a reminder message with your password in plain text, then immediately run a mile (maybe change your password first!). If the system is using the hashing method, then there is no way that it will be able to tell what your password is.
How To Improve Your Password Strategy
Here’s the important part - what can we do to ensure that our password strategy is not the weak link in the proverbial security chain. Well, we can use two-factor-authentication, choose long memorable passphrases instead of passwords, and never use the same password on two separate systems. Here are some tips to achieve this.
Two-Factor-Authentication (2FA)
If someone does work out what your password is, if you set up 2FA then you may still be protected as they will hopefully not be able to get past this second line of defence without access to your email account/phone. You can use apps like Google Authenticator or Authy to manage your 2FA.
Passphrases
As the XKCD comic suggests, we can use a memorable phrase instead of a hard-to-remember string of characters. Adding length to a password can significantly increase the number of time that it would take a hacker to crack. ‘IWantToRideMyBicycle’ is, therefore, a better password than ‘A11ig4t0r3!‘.
Different Site, Different Password
We’ve all been told not to use the same password on two sites or systems, yet we still do. Here’s a quick tip for ensuring that our passwords are unique. Firstly, we can take our passphrase like ‘IWantToRideMyBicycle’ and then add to it something about the site we are on. For example, we can use the first two letters of the site. For LinkedIn we can add ‘Li’ to our passphrase and for Facebook we can add ‘Fa’. This makes our passphrase ‘IWantToRideMyBicycleLi’ for LinkedIn and ‘IWantToRideMyBicycleFa’ for Facebook. Simple!
Password Manager
If you don’t want to worry about passwords at all then you can use a password manager. This service will store all your passwords in one place and should be encrypted using a very secure password - the only one you need to remember. You can then use the password manager to generate all other passwords for you and automatically fill them in on sites you visit. I use this, and therefore I do not actually know my LinkedIn password! An example password that my manager might make for me is ‘2oFW4#YwJQZ^iE@XGk$Cz5’. I have my password manager on my phone as well as on my computer so I can take all my passwords with me and I never have to type them in because the manager does that for me. You can use one password manager account for personal and another for business for extra security. Examples for password managers are Dashlane, LastPass and Sticky Password.
How To Improve Your System’s Password Policy
My number one gripe with systems that I use is weird and wonderful (terrible) requirements for passwords. It must be eight characters exactly and contain two capital letters and a number - are you crazy?!
GCHQ and CPNI released a Password Guidance for System Owners in 2015 that I highly recommend. Here are just five of the most important excerpts (in my opinion) from the many practical policies they advocate:
Notify users with details of attempted logins, successful or unsuccessful; they should report any for which they were not responsible
Allow users to reset passwords easily, quickly and cheaply
Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise
Allow users around 10 login attempts before locking out accounts
Password blacklisting works well in combination with lockout or throttling