<link href="http://www.codeproject.com/App_Themes/NetCommunity/CodeProject.css" rel="stylesheet" type="text/css" />
Whether you’re an aspiring computer hacker or just someone who values their privacy, password security
is an inherent concern of the internet era. If you value your data then you should value a good password.
The password is one of the gateways to your information, confidential or otherwise, and therefore must be as secure as possible.
Passwords are synonymous with computer use or internet access. Keeping a secret on the internet is akin to keeping a secret in junior high school,
especially considering that valuable data is held with a varying degree of safety protocols, depending on who is managing your information. This post
is meant to inform on how password holders keep your information secure, the methods that hackers use to break passwords, and what you can do
to ensure your information has the best chance of staying safe.
The Code: Cryptographic Hashes
These are used in competent databases for password authentication and obfuscation of passwords. Their purpose is to protect the passwords from being
released once a database has been compromised. This is done by storing passwords as hashes, not plain text, and then password inputs are hashed themselves
and that hash is compared to the stored hash. If someone has stolen a password hash list then there is still work ahead for them as they then have to guess
the passwords that lead to the hash list. If the passwords were in plain text, then the attacker has access to every account without further effort.
Cryptographic hashes are one way functions meaning that given the output hash you should not mathematically be able to ascertain the input password.
Therefore, cryptographic hashes are important to security because they add another layer of protection if done right but are not a guarantee.
Cracking the Code
Usually you will hear a story on the news about password hashes being stolen or leaked. The reason that this is a big deal is because a hash does
not guarantee security; it merely enhances it by wasting the attacker’s time. Cryptographic hashing functions are well known and their security
is in the generation of the hash rather than being secretive about their approach. Therefore, once a hashed password is gleaned from a system,
attempts can be made by guessing different passwords, feeding it through the hashing function and then looking for a match or pattern between the hashes.
Some basic methods for cracking passwords include:
Brute Force Attack
- Generate every possibly password combination and try them one at a time
- This wastes a lot of time because it iterates over every possible password and may not ever be able to recover a good password with today’s hardware, mathematics and physics
- Good enough method to use against short, weak passwords
- Password length and character set (letters, numbers, capitals, symbols) determine the time it will take to break these passwords
- Use a pre-computed list of common passwords and words to search for the password; this list can include every known word so do not rely upon an obscure word for protection
- The dictionary can be generated once and used for multiple attacks against different hashes
- Thwarting these types of attacks involve having a random looking password that is not common and still adheres to having sufficient length and a high character set
- Use a dictionary attack but with rule modifiers to substitute letters for numbers, appending letters or numbers to the end or beginning,
- There are more possible avenues of attack but they also reinforce the notion that a good password choice makes an attack harder
shows how passwords can be cracked, given a sufficient period of time and some intellect:
The article highlights some slightly complex passwords that the author found and is a good example of actual security compared to what people think is secure.
Although some of the ‘harder’ passwords lacked actual complexity, the author does a good job of pointing out that any correlation to an actual word makes cracking
the password that much easier.
Choosing a strong password is nearly as difficult as cracking one. Different passwords can be easier or harder to guess based upon the avenue of attack.
As this web comic points out password length is important due to the bits of entropy required to brute force a guess. However, the method proposed is weak
to dictionary attacks that use every possible combination of all words together making the search space still sufficiently small.
Using the same password between multiple sites is a security hole and is best illustrated by the same web comic.
A site may not be a phishing scheme but if the site’s passwords are ever stolen then this attack would still apply. This is a big problem because once
one site is compromised or takes your information, then it can be applied against all the major banking sites or whatever the attacker deems valuable.
Remembering passwords for all those different sites is not easy so you can try using a password manager or use a hierarchical approach to passwords
by arranging your passwords in tiers. Anything deemed critical is tier one and must have one strong password per login (banks, company systems).
Tier two can be anything you know is not critical but still important to keep safe (social media) and can have some password reuse (but never with another tier)
and there should still be more than one password in this tier. Tier three can be sites that you sign up for that you intend to not use or store data in them
or simply throw away sites and this tier can share one password (again this better not be shared with another tier) so long as you do not mind any of these sites being compromised.
Password Managers: It’s All About Trust
My network security professor told my class (and has been reinforced by multiple studies) that “Security is about who you trust.” If you use a password manager,
you are really putting as much trust in a 3rd party as you would coworkers walking past a sticky note on your desk. Password managers can be extremely useful,
especially if you’ve got multiple passwords and a weak memory, but should be used under the caveat that you’re still trusting someone else to keep your secret.
So how do I choose a good password?
This is hard to answer as technology constantly changes. But essentially you want a password that looks nothing like a word, phrase or number and you need
it to have zero discernable pattern. Your IT department can usually make you a really nice secure password if you have one. If not, there are programs
that can generate passwords for free that do exist that can be found by doing a simple web search. I will not list any as I do not want to endorse
one over the other and depending on your level of paranoia; they may not be secure themselves. If you are paranoid, then simply alter a randomly generated password and make it your own.
- Choose a password over 10 characters in length (10 is a minimum but 12 and greater are encouraged)
- Use uppercase, lowercase, numbers and punctuation spread throughout
- Do not rely upon substituting, appending, or prefixing numbers/letters/punctuation to words as this is not secure
- Do not use words, dates, addresses, personal info in your password as these are most likely public knowledge somewhere on the internet or can be found out in some way
- For secure sites where security is really important to you, have unique passwords for each site in case one site is compromised, then all your secure sites are not compromised
- Change your password immediately when there is a hash leak for one of the sites you use (change it often anyways in case there is a leak but it is unreported or unknown)
- Random looking long passwords are great
- Don’t use public computers for anything important as these can be assumed to be constantly compromised and may leak your data to an attacker
Password cracking methods are getting faster based on increasing processor speed, clusters of computers, and more intelligent methods.
Therefore, some password deemed to be secure today will not be secure in the future. For every researcher developing cutting-edge ways
to prevent attacks there is a hacker coming up with ways to compromise it. When it comes to passwords, it’s a good idea to always assume that the
‘bad guys’ are out to get you. That is, unless we figure out how to make passwords a thing of the past...
Dynamic Manufacturing Solutions