In this article, we are exploring password security for users. Don't worry, You don't need any technical knowledge to follow along!
We approach the topic by looking at how a potential hacker goes about cracking passwords, what mechanisms stop him and what kind of passwords cost more time to crack.
How passwords are stored
Let's assume a hacker has successfully attacked a web service and found a number of user accounts in the database. Most of the account data, such as usernames, email addresses and birth dates are stored as plain text, but passwords are usually not stored directly. Instead, a so-called 'hash' of the password is computed and stored in the database. The hash of a password works only one way: the same password will always produce the same hash, but there is no way to turn the hash back into the password used to generate it, because information about the initial input is lost during calculation. This makes hashes excellent for storing passwords, as even if a hacker gains full access to the user data, he still won't have their passwords - yet.
What is password 'cracking'?
The only way to figure out the password from it's hash is to guess and see if the resulting hash matches the one you are trying to crack. The most common approach to this problem is to use so-called 'wordlists' - text files containing a possible password per line. These files can range from some MB to hundreds of GB in size. To get an understanding of their size, here is a comparison:
The entire Lord of the Rings Saga (including The Hobbit): 576,459 words The combined works of William Shakespeare: 884,647 words wordlist 'RockYou': 14,341,564 words crackstation complete list: 1,493,677,782 words
Cracking a password hash by guessing is called a brute-force attack. This type of attack is fairly expensive as a lot of CPU (or GPU, in more modern setups) power is required to compute a hash for each possible password to check if the resulting hash matches your target hash. To reduce the cost of this operation, attackers try to reduce the number of guesses per hash by only trying values that have a statistically high chance of being used as a password. As a result of this, there are 3 common categories of wordlists:
- Passwords obtained from past attacks - By far the most common, they have a high chance of success because humans tend to use the same passwords
- Generated lists - For example all combination of 4 digit numbers. May be promising against specific kinds of passwords, for example PIN codes.
- Common words - Such as human/pet names/nicknames, dictionaries or names of animals
Other approaches to cracking passwords
In addition to the wordlist method, there are some alternative approaches to guessing passwords.
The first belongs to a group of attacks called Social engineering, a category of hacking attacks seeking to exploit the human nature of their target, specifically the fact that most humans are predictable in their actions and choices. This method uses tools like cupp to generate wordlists based on personal information about the target, such as forename, surname, email address and date of birth. A lot of this information can be found in user accounts without even researching the target, but since this generation process would add substantial cost to the cracking of a large database of password hashes, this is not commonly done against random targets. It does see more frequent usage against presumably high-value targets, like admin accounts or when targeting a specific person.
The second is almost never used as it's chance of success is incredibly low and it is by far the most expensive. It is to simply generate all possible combinations of bytes of all lengths on the fly until one fits the password. There is no economic way to use this technique unless you are absolutely sure the password is very (1-4 characters), and even then it would take days to weeks to complete, depending on hardware.
What happens if an attacker cracks a password
The first thing is to take the found username/email and password combination and try it on different websites, like email providers, social network etc. Most people use one or two passwords across all their accounts, so getting access to one account may also open the door to dozens of others. The second thing is to add the password to a password list, if it isn't already in one. Lastly, the attacker may seek to get real-world value out of the account, by selling it, or using it for illegal purposes.
Making Your passwords unpredictable
You may have heard the term entropy in relation to password security/strength. Entropy measures the uncertainty of input, in other words how unpredictable something is. A single letter from a-z could be one of 26 choices, while 2 letters from a-z could be any of 676 combinations. More possible combinations means more entropy, because it is less predictable which one of the combinations your password is. This is also the reason passwords should contain various types of input, like uppercase, lowercase, numbers and symbols and have a certain minimum length - they all add more uncertainty because they make the number of possible combinations much higher. If your password is all lowercase, then every character could be one of 26 letters. If it contains uppercase and lowercase, every character could be one of 26 lowercase or 26 uppercase characters (twice as many choices as before).
Unfortunately, this has led to the belief that passwords are supposed to be complex - which is true, but not in the way you expect. What is complex for You isn't necessarily complex for a computer. Take the passwords
input-gray-capitan for example: I'm sure You would agree the first one is more complex than the second, right? Well, for a computer, it is the opposite: The first has an entropy of 52 bits, whereas the second has a whopping 101 bits of entropy. The second password type is called a mnemonic password, a type of password that is very easy to remember for humans because it consists of only a few words we know, but extremely hard to guess for a computer because of it's length.
Making Your accounts more secure (and their drawbacks)
- Subscribe to a hack notification service. These free services collect stolen account data and notify You if Your email address was found in a list of hacked accounts, so You know which accounts were compromised and can take action to secure that account or mitigate damages quickly. Haveibeenpwned.com is currently the largest provider for this.
- Check if Your passwords are already in wordlists. Before using a new password, it is always a good idea to check if it is already part of a wordlist, thus worthless to protect your account with. There are several free services online that offer this functionality, like haveibeenpwned and Kaspersky's Password checker. Some password managers like Google Password also have a built-in password checker that monitor this for You automatically.
- Enable 2-factor authentication on important accounts. This ensures that even if an attacker gets Your password, they still can't log in without Your smartphone. Take this with a grain of salt: losing your phone also means locking yourself out of all 2factor protected accounts (at least temporarily).
- Use a password manager and randomly-generated, unique passwords for each account. The reason most people don't use unique passwords for each account is that keeping them in mind is almost impossible with the amount of accounts we have today. Using a password manager ensures that You only need to remember one good password while also enjoying the added protection of unique passwords for each of Your accounts. Take this with a grain of salt: Despite widespread believes, password managers can be hacked as well - for example if you type Your master password on a computer that was infected with a spyware or keylogger. Also, forgetting Your master key, getting kicked off the platform or a service outage can temporarily or permanently lock You out of all Your accounts when using a password manager, so make sure You always have a backup of Your passwords somewhere safe!