This is the second part of a series about passwords—what they are, how they work, and how to use them securely. Click here to read the first part of the series, Passwords Part 1: What is a password?
In Part 1, we looked into some foundations—secure systems, secure accounts, the username, the password, encryption and decryption. Now, let’s talk about why passwords can be such a pain to use. We’ll also look at the dangers in not handling passwords seriously.
Problem #1: Passwords can be hacked
This is one of the scariest problems with passwords. However, if you have an understanding of how passwords can be hacked, you will be better prepared to protect yourself. The old, knowledge-is-power argument. Let’s take a look at a few of the ways that a password can be hacked, and some ways you can protect yourself.
Someone may try to get into a secure account by guessing a password as a targeted attack. Alternatively, they may try stealing a database that holds the login credentials of thousands, or even millions, of users.
Password guessing
If you’ve ever forgotten a website password and just started typing in guesses to find one that works, you probably started to feel frustrated by your failed attempts pretty quickly. That’s why hackers don’t do this. Rather, they are more likely to use sophisticated programs on fast computers to do the guessing for them.
Brute force
Sometimes a hacker will use that sophisticated software and fast computer to try out random combinations of letters, numbers, and symbols to guess a password. This is called a brute force attack. This isn’t a particularly common approach anymore as it can take thousands or millions of tries until they find something that works, and many websites will lock an account after a few unsuccessful attempts. However, if a website database is stolen and the programming that causes unsuccessful attempt lockdowns is turned off, this becomes a somewhat more viable type of hacking.
Solution: Passwords become exponentially harder to guess as they become longer and more complicated. Make sure your passwords are at least 18 characters long and use a combination of letters (uppercase and lowercase), numbers, and symbols.
Dictionary attacks
A dictionary attack is when a hacker uses real words from the dictionary to guess a password. Because many people use real words in their passwords, it is much faster to guess a password in this way than with random sets of letters, numbers, and symbols.
Another, and much quicker, method is to try using passwords from lists of previously used passwords. These lists often come from website databases that have been hacked. It’s pretty amazing how many people use the same passwords, such as “Password123” or “123456”.
Again, this is another type of brute force attack as it will still take many tries to find an acceptable password. However, as with random brute force attacks, dictionary brute force attacks may still be successful on stolen website databases that can be cracked “offline”.
Solution: Don’t use real words in your passwords. But what if you’re super clever and substitute numbers for letters, like using “pa55w0rd” instead of “password”? Sorry, hackers think of these things too and can set their hacking programs to try out substitutions.
Stolen databases
A type of hacking that has become more common than online brute force attacks is just to steal a database from a secure system. Once the hacker has stolen the database and downloaded it, they can break into it and harvest all the juicy user data in there.
Sometimes, secure systems add encryption, or hashing, to scramble passwords inside the database. This is when the hacker will need to try an offline brute force attack on the database. They can do this either by generating random passwords and trying those, or by running dictionary attacks. But, sometimes the secure system does not scramble passwords inside the database. If someone breaks into the database, they can go to town and start breaking into accounts without much fuss.
Solution: Many secure websites encrypt or hash passwords to garble them inside the database, but not all do. For this reason, it is important to not use the same password over and over again. For example, let’s say you use the same username and password for your online banking account and for your Facebook account. If someone hacks your Facebook account, they can use your stolen login credentials to break into your online banking account.
Problem #2: Passwords are hard to remember
That leads us to the second biggest problem with passwords—complicated passwords are hard to remember. That’s why many of us (you know who you are) will use simple, memorable passwords.
So, Mr. Grumpy Designer, what do you have to say about that?
I say, great! And here’s why: the only good passwords are the ones you can’t remember!
Wait, what?
Yes, I’m going to say that again and bold it this time because it’s important: the only good passwords are the ones you can’t remember.
Short passwords that use real words and common sets of numbers (like birthdates) are relatively easy to remember…and to guess. So, go with the longest, most complicated passwords that you can as they will be the hardest to guess.
Yes, ok, but they’re STILL HARD TO REMEMBER! And not just that. It is hard to type long, complicated passwords, especially on a mobile device with those tiny keyboards.
That’s why everyone needs some sort of password manager—a program that will help you store your passwords securely. But that’s for next time.
Stay tuned for the next in this series, Passwords Part 3: How to use passwords securely.
Have fun, and be safe!
Rob Parker, aka the Grumpy Designer