Skip to content

Password Security

March 15, 2015

Many people use easily-guessable passwords like `123456′ or `qwerty’.  Hackers can compute millions of password hashes per second.  Your passwords are in great danger.  That’s the alarming information that we hear every day.  How much of it is really true?

Experts tell us to use long complex passwords.  They advise us to memorize them and not write them down.  They tell us to change all of our passwords frequently.  Don’t they realize that what they are telling us is impossible to do?

The reality is somewhat different.  To understand it, you first need to know how passwords are used for authentication.  They are never used directly.  Instead, a hash is computed from the password that you have offered.  This hash is simply a long string of bytes calculated by a known procedure.  In the case of authenticating (proving your identity) to a web site, a copy of this hash is stored on the web site, along with hashes from everybody else who uses the site.  In the case of logging in to your computer, tablet, or mobile phone, a copy of this hash is stored on the device.  Next, the hash from the password you offered is compared to the hash that was previously stored.  If they are equal, you are granted the access you requested.

Indeed, an attacker can generate millions of hashes per second from a list of trial passwords.  These hashes are useless unless they match the one stored at the site or on your device.  They need to be verified somehow.  The only practical way to verify them is to compare the two hashes.  To do this, the attacker needs access to the hashes on the web site or on your own device.  Breaking in to the web site or your device is the only way to get them.  Most web sites are well protected against break-ins.  Your device should be protected too.  Without these hashes, the attacker cannot use the hashes they have generated, even if they have guessed your password.

The latest thing in authentication is biometrics.  All you need is a scan of your fingerprint or the iris of your eye.  These are guaranteed to be unique to you.  You don’t have to type anything.  You don’t even have to remember anything.  It’s much more convenient.  Why isn’t it used everywhere?

For one thing, it still involves a hash, this time taken from the unchangeable elements of your fingerprint or iris scan.  The hash will be sent to the web site, to be compared to the one already stored there.  Don’t expect an exact match, though.  Your scan changes a bit each time.  The hash changes a bit too.  The web site can only determine a probability that it’s you at the other end.

This authentication method can still be compromised.  You leave fingerprints everywhere.  Your fingers or your eye are photographed frequently.  That’s all an attacker needs to pretent to be you.  What do you do if your scan is compromised?  How do you change your biometric password?  I suppose you could switch to another finger.  You have ten of them.  Eyes are more of a problem because you only have two.  I wouldn’t jump to biometrics just yet.

Your passwords are not really in danger, as long as you follow some simple advice.  The first thing is to protect your local computer, tablet, or mobile phone from intrusion.  If your security fails there, all is lost: everything you do on that device will be visible to the intruder.  Protecting your local device is essential.  As well, make sure that any passwords you use locally, such as your password for logging in to the device, are stored locally.  Don’t store passwords on the cloud, even though it may be convenient.

You should be using high quality passwords for every site, including your local device.  These also should be different for each site.  That way, if one site is compromised, the people who did it won’t have access to all your other sites.  You won’t be able to remember all of these passwords.  Write them down someplace that’s secure, or keep them in a password manager.  I know that it’s possible to use a web browser to save all of your passwords, but I recommend using a real password manager instead.  You’ll still need to remember the one password for the password manager, but it’s only one.  Even if that password is long and complex, you’ll remember it because you use it so often.  I speak from experience.


From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: