Securing your online life; the dangers of passwords
The problem with passwords
Passwords are a relatively new problem of the last fifty years or so; they're the key to our digital lives, a key so often copied and re-used across so many doors.
We don't often stop to think about passwords. They're simple, really; a word that only we should know, and nobody else. This word we send to every place we sign-up, and send again to access the same place.
Take a minute to visit Have I Been Pwned and check to see if any of your e-mail addresses (and their passwords) have been hacked. I'll wait for you to do that, then come back to see what you can do to help.
It's all about trust
We trust that websites take our passwords safely, and store them securely. We trust that they won't accept and abuse this word we have so heavily come to depend on.
Passwords, then, rely entirely on trust. But what if that trust is broken? What if that website you sign-up for, with that password you always use (it's easy-to-remember and satisfies those silly password rules) uses it against you?
Well, we're stuck, aren't we? They now own our digital lives through that one small word we use everywhere. We didn't really stop to think about it; we just wanted to get in to see our Facebook feed. But now they can see our Facebook feed, too, and all of those juicy private messages we've been sending around.
Even then, a new company is hacked just about every week, and their user accounts exposed to the world. LinkedIn, Adobe, Sony, MySpace – these are only a few massive companies hacked in recent memory, and your passwords hacked with them.
Now, if you were smart, you used a password unique to that website. That way, if the hacker gets your password for LinkedIn, they can only access LinkedIn (not really, LinkedIn handled the issue). But what if you weren't, like most of us?
This requires a little more digging. To understand the anatomy of a password being hacked, we need to understand how that password gets from your fingers to the company's database, and how you can use it to log in.
What happens when you log in
Assuming the website you log into has some reasonable security to protect your passwords in place (which is, sadly, quite infrequent), the following tends to happen:
You type your password into the login form and hit the Enter key, as you have done so many times before. Your password is securely sent to the website via HTTPS (an encrypted communication method), and received by the website. The website then takes your plain password, as you have typed it, and hashes it.
Hashing uses your plain password to create a completely different value that cannot be directly reversed into your plain password. Modern hashing algorithms have built-in security mechanisms to further protect your password from attack.
The website then takes that password hash and stores it in a database. Whenever you try to log in, the website takes your plain password, makes the hash again, compares it to the hashed password, and logs you in if they match. Simple, right? Not really.
That's what it takes to secure passwords to a reasonable degree – hope that every website you use does this properly! Sadly, most don't even come close.
Does this mean that my passwords are safe?
When a hacker gets access to your password in this case, they really only get access to your password hash (the secured version of your actual password). This means that they don't have any easy way to get access to your real password, and the hash they have is completely useless in gaining access to other websites you use.
This means that the hacker, then, needs to ‘crack' your hashed password to get your real password. This is a time-consuming and laborious process on the part of the hacker, which will not work for passwords longer than 14 characters or so.
Assuming your password is a short one, say 8 characters long with the usual assortment of capital letters, numbers, and special characters, it would take a hacker about six hours to get your real password. That's not a lot of time, really. Six hours and they now own your digital life.
Password cracking – how the bad guys get your password
What does ‘cracking' actually entail? Think about it this way; your real password is a mystery ingredient you add to a recipe for pancakes. Your recipe is a really good recipe, so a rival wants to find and use your recipe to sell for themselves. Except, they don't have the secret ingredient, so they can't recreate your recipe.
To find your secret ingredient they take every single possible ingredient that will work to make pancakes, and try each one to see if it is your secret ingredient. If the pancakes taste the same, they have found it! And they know what your secret ingredient is. After that, they make your pancakes and sell them for massive profits. You go out of business and train circus cats for a living.
In the same way, they try every single possible password to get your real password. When they find the matching password, they have it, and can now do whatever they like with it; they win. Granted, maybe this second explanation is shorter but it is a bit fun to think about pancake recipes.
We've managed to get through this whole bit about passwords, storing passwords, and finding your actual password. We haven't gotten to the bit where we tell you what you can do to prevent this.
Protecting your online identity
As with everything, it's complicated. But you can protect your password and online life in a way that prevents just about anybody from getting close. This is what you do;
1. Use a longer password! Length beats complexity. A hacker will not be able to crack your favority line from your favorite book, but they will crack P@ssw0rd123 very quickly.
2. Use a unique password for every different website you use. This sounds simple, but is actually very annoying in practise. We'll show you how to do this.
3. Use two-factor authentication for services you use! This means that an hacker needs both your password and your own device to access your account. We'll show you how to do this, too.
Use a password manager
You can solve number 1 and 2 by using a good password manager. A password manager stores your passwords for you, which means that you don't need to remember them! You have a single, strong password you use to get into your password manager, and that's it. Only one password to remember! You better make that password strong, though. Pick a favorite line from a song or book. Those work very well.
I recommend 1Password for this – it's simple to use, and is not too expensive. Your passwords are secured, and you can access them from anywhere. They have very good support too. It's well worth it, as your online identity is worth much more than $3 per month.
Dashlane is another good product, and you can also get two-factor authentication with Dashlane, either with YubiKey (physical) or Google Authenticator, both of which add a second layer of security to your password manager.
Enable two-factor authentication
Getting on to number 3; two-factor authentication. A unique, timed code is sent to your mobile device for you to enter when you log in. You enter the code your device gives you, and you're logged in; that's all there is to it.
One method is an SMS sent to your mobile device. While this is better than nothing, it does mean that, should someone manage to get access to your mobile number (SIM card swap, anyone?), you're screwed.
A better method is to use an app. There are a lot of good options for this! I personally use Authy (https://authy.com/) – it's simple, and gets out of your way. You open the app, choose your account, and it gives you the code you need to enter. Then you can get on with your day.
Facebook, LinkedIn, and practically every good website supports two-factor authentication (Facebook). For the others, use Google to search for the service followed by “two-factor authentication” and you should find the information you need.
That's about as much as I can cram into a relatively short article about password security without boring the life out of you. Hopefully, this helped you a little bit in figuring this whole password thing out, and helping you secure your online identity.