Passwords are key to good Cyber Security. October is National Cyber Security Awareness Month, and in this series of blogs we will be providing simple tips and tricks to help you and your staff remain ever vigilant against the threats that criminals pose to our digital lives.
This blog will look at passwords – this is a dreaded topic for some as we all know what we should do, but doing it is, for some, a hard thing.
Passwords are the bane of our lives. They get in the way. We get told all the time to change it just as we had got to the point of remembering the last one. Then you forget one, and it feels like it takes half a day to get back into the system. If only life could be simple – Password1 anyone?
Passwords affect everyone, and the criminals are getting better and not only cracking them but also in using them. There is tonnes of advice out there. Still, what if you are not a techie person, using 2FA and biometrics to access your cloud-based, military-grade encrypted secure vault may feel like a stretch too far. So we take the easy route and choose something we can remember.
Earlier in 2020, there was National Password Day. According to SplashData these were a list of the most popular ones in data collected from websites and services that had been breached – do you see one of yours in this list?
Other common examples include:
Why d03s 1t m@tt3r?
We need to start by thinking about why we even have a password. It is a form of security that helps us securely log into something and allow us, and only us, to see something on that site or service. So if you log onto your computer, you see all your files and no-one else using that computer can see your documents. If you log into a shop online, you can see all your orders, but no one else’s details and they cannot see your orders either. So, from that point, they are useful.
Passwords Str3ngth 1n numb3r5
The next thing we need to think about is why they need to be long, strong, complex and unique. We hear this advice all the time, and for some, this is where things start to go wrong. Imagine, if you will, a techie person. They will have to log in to so many services for work, home, email, shopping. They could have access to over 500 websites – that’s 500 unique long, strong, complex and unique values they have to remember. For most of us, we would stop right there and start using the same one for everything as the chances of remembering 500 is nearly impossible. So back to 123456 again! Let me take you on a brief technical interlude while you think about your passwords.
Wh@t hApp3n5 wh3n y0u typ3 !n y0ur passwords?
The actual process of what happens is fascinating and complex at the same time. This blog will set out a simple version for you, so you understand the basics of what is going on.
When you type in your password into the box on a website, the first thing that happens to that word is that it is passed through an algorithm. An algorithm is a clever piece of coding that creates a unique version of yours. There are lots of different types of algorithms here are the outputs of two examples:
MD5 – 25a4e55018610319ab54297df09f1052
SHA2 – 47fec880a12eae17607a0e66381c084d41999c33ef53cab74331c1b6
However, if you change just one character, you create an entirely new unique output. This unique output is called a hash.
MD5 – 48ab1243dfc4a8c7b971e0f45b70a9d8
SHA2 – df58ea248a48608618381457e80260b70c7b1a059ae1385acfabac20
The website checks the hashed value you have typed in against the hash it has already stored in its database. If the hashes match, then you are granted access. The website should not ever see your un-encrypted password. If it does, then this is what you hear in the media described as “plain text.”
Passwords, Salt ‘n rainbows
Suppose a website gets breached and a criminal gains access to the hashed passwords, in theory. In that case, they will have to decrypt all those hashes to work out the original values. Websites can make this more challenging by adding a set of extra characters in the background as they get typed in called salts. Adding a salt means the criminal would need to know the salt to then be able to decrypt the hashes.
If no salt was used, then the criminal only needs to decrypt the hashes, and plenty of software exists for them to do this with. But then time is against them. Luckily for the criminals, the work has been done to create lookup tables of known passwords and their associated hashes. For example, if you knew all the hashes for every word in the dictionary, then you could look up a hash and find the password. These lookup tables are called Rainbow Tables. At the point of writing this blog, I found rainbow tables for all combinations of mixed capitals/lowercase letters, numbers and symbols up to 8 characters long – and this is in the public domain. So if yours is eight characters or less, then criminals can literally look up your hash and read your password back.
All common passwords also exist in Rainbow Tables as do all dictionary words.
For an insight into how these attacks work, read this article.
Those pesky criminals always seem to make our lives more difficult! If you have a password that is greater than eight characters, then you are making life more difficult for your attacker. The more characters you add, number, letters and symbols, the harder and more challenging it is for the criminal to try and reverse that hash back into your password.
But could you remember 500 passwords, uppercase, lowercase, numbers and symbols over 9 characters?
M@k3 !t un!qu3
If you are a non-technical person, this can cause you problems as you need to make those passwords unique to make it harder for the criminals to re-use it elsewhere.
Tips for non-techies
So, the daunting task has now been set, but where do you start? Here are some starting tips, but they are not going to make you bulletproof. They will give you a head start though as you move to the advice later in this blog:
- Use 3 (or more) words for your main password – HedgehogSecurityFanclub
- Add letters from the service you are using e.g. Facebook could be FA – HedgehogSecurityFanclubFA
- Use numbers and symbols in your password – H3dgehogS3curityF@nclub!FA
- Congratulations, you have a long (26 character), strong (upper/lower letters, numbers and symbols) and unique (each website will have that identifier)
- Investigate password managers, they are not as scary as you think
This is just the start, where you want to be aiming for is a password manager. They can create passwords even longer, even more complex and totally unique for each website you visit.
A password manager is a piece of software that lives on your devices. You log into it with a good strong password (or on mobile devices, this could be your fingerprint) and it holds all your passwords for you. It can generate new passwords for you, and when you go to log into websites, it pops up and puts the password in for you. You never need to remember the 500 passwords. You just need one, the one that opens the password manager.
Once you have a password manager, you can then start to change your passwords over to the longest password the website can accept and have it as gobbledygook as you would like. Still, you don’t have to remember any of them, you just click the password manager and let it do all the hard work for you.
The benefits of using a password manager are huge. Here are some obvious and no-so-obvious ones to think about.
- All your passwords are difficult for criminals to attack
- If you go to a scam website (where the attacker has made a copy website) then the password manager will not recognise the website and so will not put in your details
- If you need to share a password (e.g. for an online service), you can send it securely to someone else if they use a password manager too
- You can leave your password manager main password in a Will so that should anything happen to you, your spouse or family can gain access to services e.g. utility companies and insurance companies
- If you have these at work and someone leaves then you can easily remove access to services as you have access to the password vault
My own tale
I moved to a password manager a little over three years ago. I imported into it about 400 passwords because I was starting to forget passwords and spent more time resetting them than typing them in.
The password manager told me how many duplicates there were and also how many existed in data breaches. It took over a year of going through each website and changing every password and in some cases, deleting my data from unused websites too.
As I write this today, I now have over 750 passwords in my password manager. Every one of them is unique. Ever one of them is long and strong, and I have no idea of what any of them are. I only have one that I do know – and that is the one to get me in, and most of the time, I use my fingerprint anyway. My Will has my password in it. Should anything happen to me, my wife can get access to car, life and house insurance accounts and utility records. She also, therefore has access to my emails, and social media so can let people know what has happened. All this from one piece of software.
You can find more information at the National Cyber Security Center too.