This is the first part of a series about passwords—what they are, how they work, and how to use them securely.
One of the biggest and most misunderstood aspects of online security is the password. This once simple mechanism for securing digital accounts has become a huge disruption in most people’s lives. Hardly a week goes by without another news story about hackers getting access to thousands or millions of users’ passwords. Pundits come on the TV and give advice about using complicated passwords. Security writers publish lists every year about common passwords not to use.
All the while, most of us have at least 10 to 20 accounts (websites, apps, devices, wifi, etc.) to manage. All of these require passwords that we need to remember. It seems we all struggle with ways to remember all of our passwords. Sometimes we even break the rules and use the same password all the time.
But how much of this is really cause for concern? How much is there to worry about when it comes to password security?
The truth is, password security is an extremely important issue. How we use passwords has a major impact on our own online security and safety. In fact, secure and proper use of passwords is one of the main things that we can each control about our own online security. But we’ll get to that a bit later on in this series.
Before we dive into the nitty gritty of password security, let’s first talk about what passwords are and the components that work together to help you secure your information.
What is a password, anyway?
A password on its own is really just a secret bunch of letters, numbers, and symbols meant to protect something. To really understand what passwords are for and how they work, let’s first talk about what the password is there to protect.
Different types of passwords exist to limit access to many types of devices, like smartphones, computers, and tablets. Passwords also protect your private information on websites or apps that need to save personal data. These could be email sites, like Gmail or Hotmail, or online retail websites, like Amazon. Services like these function because they save a record of how you’ve used them in the past. For example, saving all of the emails you’ve sent and received with Gmail, or your past purchases with Amazon. They are convenient because that information can be used again. But, because the sites save data that is personal and private, they have to store it in a way that other people can’t see or access it without permission. That’s what we mean by secure.
For the sake of this article, let’s call the websites, apps, and devices that need our private information secure systems. Let’s call the place each individual’s information is stored a secure account.
When you sign in to a secure account, it needs to do two things. First, it needs to have you identify yourself. Then it needs to be able to confirm that you are who you say you are. To know who you are, the secure account will usually require a username. To prove you are who you say you are, the secure account will ask you to provide a password. This combination of username and password is your login information, or login credentials. We call this combination “login” information is because you use it to log in or sign in to the system.
The username
To identify you, most secure accounts will ask you to provide your username. Most of the time, the username will be your email address or mobile phone number. Most secure systems will use the email address or mobile phone number as the username is because they also use one of these as the “unique identifier” in the system.
The unique identifier is the one bit of information that can distinguish one person from another person in a system. A person’s name won’t make a great unique identifier—what if there is more than one Rob Parker on Gmail or Amazon? A home address won’t work as a unique identifier because more than one person may live there. So, traditionally, the email address is the unique identifier because 1) most people have an email address, and 2) most email addresses have only one person who use them. In recent years, the same has become true of the mobile phone number—it is ubiquitous and unique to the individual—so it is becoming a popular unique identifier (and username) in some secure systems.
There’s one more thing you need to know about the username—it is public. The username is not a secret because the system needs a way to communicate with you should you forget your password—it needs to know who you are, even if you’re not signed in. This is great, because it is easy to forget a password and you may need to reset your password. However, the public username is not so great because someone can easily guess your username and get half the equation to cracking your secure account. This is especially true if your username is your password or mobile phone number. D’oh!
The password
The password is the second part of the identity equation, the secret part that verifies your identity. Once you give your username, you’ll also enter your password into the secure system. At this point, the system can compare the username to the password it has on file for you. If the password matches the username on file, you will get access to the system. The best secure systems encrypt passwords so that no one on the secure system, other than the user, can see the private password at all, although this does not always happen.
Encryption and decryption
Encryption is the process or mechanism by which the secure system can scramble or obscure private data so that hackers or snoops can’t get access to the actual data. Decryption is the process of descrambling or revealing that private data. Encryption and decryption generally use some sort of mathematical equation, or algorithm, to perform the scrambling and descrambling. If a piece of data is not encrypted, it is known as plain text. What you’re reading now is plain text.
Ok, so how does all of this work?
Now that you know the terms associated with passwords—secure system, secure account, username, password, encryption, decryption—let’s talk about how all those parts work together to keep your private information private.
Entering your login information
When you go to log in (or sign in) to your device, website, or app, you’ll enter your username and password. When you enter this information, the pieces you tap or type in will be checked, or verified. This verification may include checking to see if the information you enter, such as the email address or mobile phone number you use for your username, is of the correct format.
Next, the your password will be compared in the secure system with the password combination on file for your username. If the two passwords match, you will gain access to the secure account. If the passwords do not match, you will not be given access.
But what if you forget your password, or if for some other reason the password on file does not match the password in the secure system? Don’t worry, there is usually a way to reset your password in the system, such as a “Forgot your password?” link.
Conclusion
So, in a nutshell, a password is a secret bunch of numbers, letters, and symbols used to prove your identity and access private information in a secure computer system.
Coming up next time, Passwords Part 2: The problem(s) with passwords.
Have fun, and be safe!
Rob Parker, aka the Grumpy Designer