Behind the Scenes of a Password
Hayden Smith explains how computers store passwords and how compromises happen…
There are many articles online arguing on the importance of choosing a strong password to protect your online accounts, and importantly using different passwords on each site. There are arguments towards using various mixed characters and symbols to increase complexity, though I’m personally a proponent of using a long sentence as a pass phrase. These articles may tell you what you should use, but they don’t really explain the reasons why, which are largely based on how passwords may be stored by the application or website you’re using.
Regardless of whether they are in files or databases, passwords will generally be stored in one of three main ways…
They could be stored as plain text, which means that the password will be readable to anyone looking at the password file/database. This is the least secure method of password storage and something that has mostly been phased out, although there are still plenty of badly-made systems out there storing passwords as plain text.
Slightly better, but still fairly insecure is the use of encryption. In these cases the password is encrypted to store, so anyone looking at the file/database won’t be able to read the password. However, using the correct decryption technique the passwords become readable. This only really protects password security from the passing observer.
Finally, we have the current best practice of hashing passwords. Hashing is a type of encryption that only works in one direction. Once a password has been hashed there’s no way of finding the password that formed that hash without creating a big list of possible passwords and hashing them all to compare against the stored value. To further increase the security of the passwords in a database, the practice of salting is often used. This involves amending a large random string of characters to the password before hashing it, each user would have a unique string assigned as their salt. This means that the list of passwords an attacker needs to hash, to try and find the matching password, must all have the salt appended to them before hashing. Whilst this doesn’t stop the technique from working, it makes the task of finding passwords for users from a database significantly slower and dramatically increases the processing overhead.
So how does this relate to how you use passwords and choose them? Let’s have a look at how passwords are compromised…
Firstly we have guesswork, this is usually done by someone who knows you or has researched you and relies on guessing at the sort of passwords you may use such as children’s or pets’ names or favorite sports teams. Thus it is generally recommended to use something more random as your password.
Secondly we have remote brute forcing. This is where the computer of an attacker takes guesses at passwords and makes repeat login attempts at the service they are trying to compromise. Most sysadmins will setup a server to detect and automatically block multiple incorrect login attempts on their servers. That doesn’t stop attackers from trying on the basis that there are still systems out there where this does work.
Thirdly we have a database compromise. This usually occurs where a flaw somewhere in the website allows an attacker to get unauthorized access to the underlying system and extract a copy of the database. Once done the attacker can take their time in working out the passwords used on the various accounts. There have been a lot of high-profile database compromises over the last few years with the likes of ebay, linkedIn and Sony all having had databases of user login credentials leaked. Here is where the importance of a long password become apparent. Each additional character in length exponentially increases the number of combinations that the computer trying the compromise them needs to test. Once you get past the teens in password length you get towards a password that can take years to compromise. This is something an attacker is unlikely to waste their computer time on.
Now for how this can be used against you. For most websites you use, it is now common practice to log in with your email address and password. Next to that, many websites will allow you to reset a forgotten password by emailing a code to your email address. So your email address tends to be the weakest link in your online security, and thus should be the one with the long secure unique password. Otherwise, should the password be compromised, it would be quick for the password to be used to compromise email and then attackers can view mail to see what other services the password could be used against, often to get to online banking systems. Unfortunately, you don’t know which password storage method a system is using, so while a good secure password is great to use, re-using it on multiple sites increases the chances of it turning out to be very insecure if the system behind a site doesn’t store the passwords with good security.