A Brief History on Passwords
Passwords have been around since the middle ages when watchwords were used to ensure that the guard relieving the current watch was indeed the one that should be. Fast forward serval years later and we are now still using them for the same purpose. But these days there are thousands of passwords that we are expected to keep secure as well as keep track of and doing so is not a simple process.
Unique Passwords
Some of us have decided to just use the same password for all of our accounts or a variation of them such as Password123!Linkedin or Facebook99Patch! (If that is your password please change it). But the problem with this is that threat actors break into networks and steal password databases all the time. If you are using the same password for all your sites then they may try and use them to log into other services and gain access. But this would be prevented by using patterns right? Wrong, say I found the password “Password123!641Tech” breached in a 641Tech social media program breach and I wanted to log into your Gmail account. All that would need to do a find and replace in the password file and replace any reference to “641Tech” with words like “Google” or “Gmail”. By the way, if you suspect that your may have been breached or want to make sure you have not you should check out https://haveibeenpwned.com/ which will let you put in your email and tell you if you have been breached in the past completely for free! But there are other issues with these passwords for example their complexity.
Password Complexity
To understand why password complexity is important we first need to understand how passwords are stored in computer systems. Passwords are stored using a one-way mathematical function known as hashing. We won’t be covering hashing in detail in this article but the basic concept is that it is a one-way function that should have a specific output when given a specific input. For example the SHA1 hash of “Password123!” is “b673e227257194ecf7d6a1f7e1bee8ac3a37a894ec13bb0bba8942377b64a6c4” which may look like gibberish but the important part is that this input will always result in the same output and that the output is not directly reversible back to the input. With all that said this is a critical part of how services securely store your passwords in their databases. When you set up an account on a service and provide a password that password is usually hashed on your device and then the hash is sent to the service and stored. Then when you type your password again it is hashed and then sent to the service which compares the hashes and makes sure they are the same. If an attacker dumps the list of hashes and wants to convert it to the readable text again then they will need to set up the same algorithm on their systems and then try to brute force the input until they find an output that matches. This is where password complexity becomes a factor. If your password only contains letters then there is a significantly higher chance for a successful brute force of the hash due to the key space being only the 26 letters of the alphabet. The other factor of a password’s complexity is the length. Every character you add to your password makes it exponentially harder to crack and become compromised. According to Hive Systems in their article Are Your Passwords in the Green?, An eight-character password using a wide key base can be cracked in as few as eight hours. So how complex should a password be?
At 641Tech we recommend that your passwords at least meet the following criteria:
- Include at least one of each: a capital letter, a lowercase letter, a number, and a symbol (in the middle of the phrase)
- Have a length of at least 15 characters or more
- Avoid dictionary words, service names, and company names
That may sound like a lot but it will help you make secure passwords. But when we pair that with the fact that we are not supposed to reuse passwords, it makes it very hard, or maybe even impossible to remember them all. And what about multiple devices and needing to be able to log in on those? who knew passwords had some many logistics…
Password Managers
Luckily there are solutions to these problems. Some are better than others which we will talk about but there is a series of password managers that can help you keep track of and transfer these passwords around securely. For example, if you are using the Google Chrome browser to read this you already have one installed! Chrome will securely store your passwords for you and if you use Googles sync function it will even transfer them to other computers and Android phones! However, there are some issues with using this service. For example, you may not want your passwords kept with Google for privacy reasons. The chrome browser also has been the target of certain malware aimed to steal your passwords which may make it not the best option. That said if it allows you to keep long and secure passwords it is a far better choice than using nothing at all! There are more dedicated options on the market as well products like Bitwarden, or OnePassword are fine options that have which provide a solution specifically designed to keep your passwords secure as their primary product. Bitwarden is even free! You can sign up and try it out by going to https://bitwarden.com/pricing/ and signing up! These products will allow you to randomly generate long passwords and then store them for you. It will then log you into the sites when you browse them. With solutions like this, you don’t have to remember all the induvial passwords and can instead just remember a single password used to unlock the password vault. Just make sure that you make a really strong password for the vault!
In Closing
Passwords are hard and keeping them secure is even harder at times. The logistics around how we log into almost every service these days is not something that we can solve in just a few minutes. Even with writing this article long-winded as it may be I can’t help but worry that I am leaving important details out for you as the reader. In general, though remember that unique long passwords and complex passwords are one of the best ways to keep your accounts secure. And while that may make it almost impossible to remember them all we have tools like password managers that allow us to manage the logistics problem. So go out and try to implement some of these practices. At least on some of your more important accounts as any step is a step toward improvement.
Looking for help with your with your IT problems? Our Team can help with your computer and network systems! Contact Us