An Inside Look at Password Security

Have you ever had your personal information stolen online? One of our security experts reveals an inside look at password security and encryption methods while offering advice for protecting your information without a laundry list of individual passwords.


Password Security

  • Oct-Dec 2013 millions of Facebook, Gmail, YouTube, Twitter, LinkedIn, Trustwave, Adobe and ADP passwords were stolen in massive hacks
  • Feb 2014 encrypted passwords stolen in Kickstarter breach
  • May 2014 eBay hacked, all users asked to change passwords
  • Aug 2014 Russian hackers obtain over a billion passwords from thousands of websites

Stories like these continue to fill the news headlines, with massive amounts of username-password combinations stolen every year. While websites that collect user information are required to implement certain security measures–depending on the country and the type of information–some websites do a better job than others.

How do websites protect your login information?

Normally, when you create an account with a website you’re required to enter a username and a password in order to access your personal information and other resources that are available only to you. Your login credentials should be protected from the moment you enter them in the browser until they reach the server. Use computers and devices you trust, since malware on the device (such as a keylogger) can steal your credentials as you’re typing. Moreover, ensure that the website is loaded over HTTPS, as this protocol will encrypt your credentials in transit–you should see an “https” at the beginning of the URL rather than “http” alone.

When the credentials arrive at server, the website typically uses cryptography to convert the password into a scrambled, unreadable text before storing it along with the username in a database. There are numerous encryption algorithms a web application can use to encrypt passwords. Some are less complex and use short encryption keys, which increases the chance of the password cracking and falling into the wrong hands, and some are more secure than others. For example, let’s assume that your favorite website uses AES encryption and their encryption key is webkey. Let’s also assume that:

Your password is MyP@$$w0rdIsStron6

Then the encrypted value of your password will be axV29nxohPDlZZQXDL8lg0jMJOy8BGRlL6Z7yoijD9U=

Your friend’s password is mypass

Then the encrypted value of her password will be CBGzJQlVYJnao06XYX1ltg==

If these passwords were stolen from the database, the attacker could guess or bruteforce the encryption key and decrypt your and your friend’s passwords to their original values virtually at the same time regardless of the password complexity.

You can use online tools such as http://aesencryption.net to test encryption of data

Password + Key

Given enough time and/or processing power, even passwords encrypted with more complex algorithms and longer encryption keys can be cracked using techniques such as brute-forcing or dictionary attacks. Brute-forcing refers to a techniques of probing every single combination of characters until a match for the key is found, whereas a dictionary is a list of commonly used encryption keys that are tried one by one until a match is found or until the list is exhausted.

This prompted security researchers to develop a better way of securing passwords that would make decryption mathematically impossible. The technique is now known as hashing. Password + Key produces a Hash that cannot be reverted back to its original value. One may ask, if the stored hash can never be decrypted then how does the website know that the password you use to login matches the stored hash?  The answer is – every time you login, the website will use the same algorithm to hash the entered password, then it simply compares this new hash to the one stored in the database, and if the two hashes match, then the user is authenticated.

While this sounds like an ideal solution, attackers have been able to find a way around it. They have created “dictionaries” of hashes–so called rainbow tables. These very large tables (over 32GB) contain pre-computed hashes for all commonly used password-key combinations. The rainbow tables are continuously updated with new entries and the increasingly growing processing power allows standard computers to match a stolen hash to a pre-computed hash within minutes. For example, Ophcrack, a free rainbow-table based cracking software, can cover 99.9% of all possible 14 character alphanumeric passwords within 11 minutes.

Salt

Since it’s unlikely that a user will choose a totally random long password that contains alphanumeric and special characters, security researchers had to come up with a way to increase the complexity of hashing so it cannot be easily attacked with rainbow tables. So they added “salt.” Salt is a long, random string of characters appended to a password before the two are hashed together.

Practically, a “salted” password becomes as a very long and complex password even if the original password the user chose was very short and weak. And the good news is, users don’t have to know or remember the salt because it’s generated by the website and it’s often kept in the database along with the hash. Moreover, in case of a data breach if the salt is stolen too the attacker won’t be able to tell the password apart as the two have been “scrambled” together during the hashing to an irreversible state.

Now you may wonder, does your favorite website uses encryption, or hashing, or hashing plus salting? Well, you probably won’t know unless they publicly disclose the techniques they are using. This take us to:

What can YOU do to protect your personal information?

Let’s say you use the same username and password on multiple sites: eBay, Amazon, and your Volusion store. After eBay was hacked, attackers may have stolen and decrypted your credentials. There’s a chance that they will also probe them against other sites like Amazon and your Volusion store; since you reused your login information, the attackers will be able to obtain access to your other accounts.

Internet users often have more than 30 online accounts, therefore it’s unrealistic to expect an individual to have a unique and strong password for each website they use. We also advise you not to write down your passwords, and even password managers may not be as good as they sound, since trusting a single master password could lead to a loss of information on multiple important accounts.

For the average user, however, there is a simple solution. If you only access a fairly small number of websites that collect highly sensitive (e.g. financial or healthcare) information, and the other sites you visit contain less sensitive information, researchers agree that setting unique and strong passwords on such sensitive websites and reusing passwords on less critical sites may be your best option.

Recommended link

Visit https://haveibeenpwned.com and enter your username or email to see whether your login credentials have been stolen in some of the major data breaches

Leave a Reply