The ultimate guide to passwords
Posted on 10 Feb 2012 at 14:31
Davey Winder reveals how hackers smash strong passwords - and how to keep yours as secure as possible
Despite a barrage of biometrics being launched over the past decade, passwords remain our primary means of safeguarding computers, data and online services.
Whether it’s for your home laptop or a corporate rollout, devices such as fingerprint readers remain prohibitively expensive compared to the cost-free password. Even when hardware authentication devices are used – by online banks, for example – there’s no escaping the password, which is used alongside the gadget that generates a unique PIN.
The problem is that passwords are a vulnerable means of protecting anything. A recent survey into corporate password usage by Lieberman Software revealed that 51% of those questioned had ten or more passwords to remember, and 42% admitted to actively sharing passwords.
The question isn’t whether a password file is encrypted – it’s how it’s encrypted
With passwords here to stay, this has to change if data is to remain safe. Now’s the time to start learning with our ultimate guide to passwords.
How does a password work?
Before you can understand what a secure, or even an insecure, password looks like, you need to understand how a password works.
The basic notion of it being a “secret” word that, when entered into a login box, is compared against your username in a database of plain text system login passwords is flawed. Not least because a password stored in plain text is about as secure as an unlocked door bearing a big sign saying “rob me”.
The question isn’t whether a password file is encrypted – it’s how it’s encrypted. Some systems still rely on basic encryption using a reversible algorithm, so that when you log in, the password associated with your username is decrypted and access is authorised.
This is dangerously insecure, because a hacker who receives access to the encrypted database file can attempt to reverse-engineer the encryption algorithm, and thus gain access to the full password list.
That’s why the majority of today’s passwords are converted into a hash – a one-way mathematical function – and that hash value is stored in the database instead of the actual password itself.
A hashed password is encrypted using a one-way algorithm that, in effect, turns it into a long number. This means it can be readily decrypted to find the original value of the password in question.
However, as the hashing process effectively destroys the password data itself, it’s all but impossible to reconstruct a password from that encrypted hash.
So you type your password into the system and it then compares your hash value against the hash value stored in the user list – if they match, you’re in. A hacker gaining access to that database of hash values is still none the wiser as to users’ passwords.
Not that a hashed password is totally secure: two identical passwords would share the same hash value, as the algorithm creates them using the original character string as the base.
If a hacker gained access to the database, they could identify user groups with matching hash values as likely to be using a dictionary word, and launch a dictionary attack on those to uncover it. Also, the most dedicated of hackers – such as those working for nation states and organised crime syndicates – will likely use something called a rainbow table to attack a hashed password list.
Steve Gibson over at GRC did a good study of passwords last year:
By big_D on 11 Feb 2012
Bloke in the picture...
...strange resemblance to a certain magazine editor, don't you think?
By PaulOckenden on 13 Feb 2012
Who, Giant Haystacks?
By happygeek on 18 Feb 2012
Putting £ or € sign in passwords....
Is all very well until you find yourself trying to log in to you email in the USA with a non a UK keyboard and no hope of putting an ALT-0163 into the password field
By x16gen on 27 Apr 2012
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Google I/O live stream and blog: how to watch 2014 Google I/O keynote speech live
- Google testing its own domain registration service
- Adobe announces first hardware: Adobe Ink and Slide
- Vote now in the PC Pro Excellence Awards 2014!
- What’s new in OS X 10.10? Apple Yosemite’s new features
- Samsung Z Tizen phone helps loosen ties with Android
- Microsoft rumoured to launch smartwatch this summer
- LG G3 launched: LG takes the wraps off smartphone that offers “more with less effort”
- LG G3 launch live video stream and blog: as it happened
- Apple fixes iMessage lock-in for Android switchers
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out