Password security

Posted in: (Security) on 28th November 2014

Nowadays, the average computer user probably has dozens of passwords for websites and devices. You may well have heard that it's a good idea to use different passwords for every site, but always thought it too much of a hassle to actually keep track of.

If so, you may also be surprised to hear that many I.T professionals even suggest that's it's perfectly acceptable to use the same password for every login, but this is just bad advice. In this article, I'll attempt to explain how your passwords are handled by others, and just why you should care more about online security than you probably already do.


Password Storage - The ideal

Most reputable websites will store your password in a way that's virtually impossible to decode. This usually involves running your password through a "one-way" cryptographic algorithm, such as SHA2, and storing the resulting hash, rather than your password itself.

To provide an example, if you entered the password "LetMeIn", here's how it might look when stored in this way:


You might struggle to work out that this seemingly-random collection of characters is actually "LetMeIn", right?

(if you're interested, the above example also employs the use of a cryptographic "salt" in order to strengthen the hash further against dictionary attacks. This is particularly effective when users might enter weak passwords, i.e "Steve1")

But how, you might ask, can a website allow you to log in if it doesn't actually know your password?

It's quite simple really. When you first set up your password, it converted what you typed into a hash like the one above. When you come back to the site to log in, the password you entered is simply converted to this hash once more and compared against the one stored. If they match, then the passwords must be the same, and login is permitted.

(this of course assumes that each piece of text you enter would produce a unique hash, but many algorithms such as MD5 and SHA1 have been found to suffer from so-called "collisions". This is where two or more different values could potentially result in the same hash, which is naturally a bad thing for passwords. Newer, improved algorithms such as SHA2 aren't yet known to suffer from this problem)


The Problem

Unfortunately, not all websites and companies are so careful with your passwords. Many websites, including some of those run by large companies, store your passwords as plain, human-readable text. You enter "thisismypassword45", and that's what someone sees when they look at the password database.

Essentially, this means that any dishonest person working for a company could easily steal all of the customer logins if they had access to the database they were stored in. Also, if a website is attacked and its database compromised (and this often happens, i.e Sony's online services a few years ago), the attacker now has your password.

Now imagine that you use the same e-mail address and password for all of your sites; PayPal, Facebook, iTunes. Every single one could be compromised before you even had a clue it was happening.


Best Practice

Because you can't be certain of how safely companies store your data, I would strongly advise that you make a habit of using a unique password for every site you use. That way, even if one of them is compromised, you don't risk the security of your other accounts.

Doing so may seem annoying, particularly if you're not keen on remembering them all, but don't forget that it's fine to write them down. Just excercise common sense when it comes to keeping them private (I do see a surprising amount of people with password-laden post-it notes stuck to their laptops and monitors!)


Recent Articles