Let’s Talk About Your Passwords

 

This is going to be a mix of personal opinion and mathy stuff, all of which is likely to be correct.

For the too-long-to-read crowd, here’s the bottom line: if you’re using the same password(s) all over the place, stop doing that.


The hacking of a major energy pipeline company this past week is much in the news, and that has me thinking about cybersecurity.

Most of us face two significant threats, in terms of cybersecurity. One is that we’ll fall victim to a virus, like the ransomware attack that crippled Colonial Pipeline last week. I don’t worry about that because I run a good anti-virus product (Bitdefender, which I’ve used for many years and like because it’s cheap, effective, and unobtrusive), use its ransomware protection, and have a firewall that tries to keep unwanted guests off of my network. I also back up my work fairly often; I feel my own data is reasonably safe.

The other threat we face has to do with our online passwords. Unless your current way of managing your passwords is cumbersome and annoying, you’re probably doing it wrong and really should consider making your own life less convenient. Let me explain.

Most of us have lots of passwords for personal and work computers, online services, and the occasional devices around our homes. I don’t know how many you have (because I’m not the NSA), but my list currently contains more than 600 entries. I’m probably an outlier, since I work in the computer industry and have a lot of client passwords, etc., tucked away. My own personal passwords number in the several dozens, considering all of the banking and online services, entertainment, vendor, etc. sites that I visit. You’re probably similar.

You probably count on your browsers to remember most of your passwords for you. I certainly do. I couldn’t tell you my Ricochet password, my Facebook password, my MeWe password, nor any of my vendor passwords, because I don’t know them. I know how to log into my bank and into Gmail, but not into any of my routers or devices, nor most of my accounts on my clients’ servers.

I keep all those passwords in an encrypted database and pull them up when I need them. (The password to that database is one password I do remember, and it’s pretty long.) I need to do that because my passwords are all different, every single one of them. Each is a little absurd, a combination of two “words” at least one of which isn’t a real word, each of which contains a capital letter (though not always the first), the words separated by a non-alphabetic, non-numeric symbol, the entire sequence beginning and ending with another non-alphabetic symbol one of which is a digit and one of which is not. Their average length is 18 characters.

I don’t worry about the fact that my browser knows my passwords. I don’t worry about having them all in one file; a file that could, conceivably, be hacked by some cyber-villain. I don’t worry about that because the greatest risk I face, in terms of my online security, isn’t that someone will break into my computer and steal my passwords. Rather, it’s that someone will break into a poorly maintained online server and steal all of the passwords on that server, mine included. And that’s the greatest risk you face, as well.

How Companies Store Passwords

They don’t. Oh, a few might, but no competent online company actually stores your password anymore. What they do is take your password and hash it. That means they run it through a mathematical algorithm that changes it from plain old text into something numerical and random-looking. Then they store that hashed value.

For example, if your password was

Lucy021900

a hash of that might be

372302a0e9f8eb81d7fe7166552b10334c04b1458ac7dd76c0912f7c9cc16ce3

That’s what’s called an SHA-256 hash, a mathematical transformation of, in this case, my daughter’s dog’s name and my daughter’s birthday, into a long string of hexadecimal digits (actually, 256 bits of binary data).

Why would anyone do that, instead of just storing your password the way you typed it in? More importantly, how will they know that it’s you, the next time you log in if they don’t store your actual password?

The answer to the last question is pretty simple: when you enter your password the next time you log in, they’ll run it through that same hashing algorithm and come up with the same great big number. One of the special things about these hash algorithms is that they produce very random-looking output for any input, but they always produce exactly the same output for any given input. And, in addition, that output looks very different even if the input is almost exactly the same.

For example, if I change a single character of my example password, say changing my daughter’s birthday by a single digit, to

Lucy021800

the subsequent hash comes out like this

c52304ed9900ab26d60b173395b8d6782af424076df1ce14701fc4cd87dbe5ba

That single-digit change to the password produced a hash of the same length, 64 hexadecimal digits, only nine of which happen to match the previous hash value. (That’s actually about twice the number of matching digits as one would expect from a purely random sequence. I ran another hash with Lucy021700 and got only two matches, half what I’d expect from a purely random sequence. The thing about random is that, well, it’s hard to predict.)

Since hashes tend to change very quickly when even a small change is made to a password, the likelihood that someone else will make up a different password that just happens to have exactly the same hash value is… well, it’s small. It’s not likely to happen.

(How unlikely is it, to find two different text strings that create the same hash value? If every single human being generated a billion hashes per second, every second, and started when the universe began, and did that until the universe faded into tepid entropic grayness, the chances are vanishingly small that they’d find any two sequences of characters that hashed to the same value. It’s just pretty darned unlikely.)

So that answers the second question: they can log you in without knowing your password because they know the hash of your password, and nobody is likely to figure out some other password that has the same hash. If you have such a password, you’re probably really you.

But that leaves the first question: why do this? Why not just store your password, and skip all the fancy math?

That’s easy: they save the hash because they care about you. More specifically, they care that you don’t sue them or otherwise compromise their financial integrity in the event that someone steals their password lists. By saving the hash of your password rather than the password itself, they can be confident that, if someone does break in and steal their password database, they won’t get your real password.

They won’t get your real password because of the other great things about hashes: you can’t reverse them. You can’t turn that 64 character number thing back into my daughter’s dog’s name and my daughter’s birthday. The process of hashing either loses information or so scrambles it that no one knows how to unscramble it — no one is even sure that it can, in theory, be unscrambled. (And yes, there are some really interesting questions here that we’ll completely ignore, because they really don’t matter for this discussion and, frankly, I don’t understand the math.)

Why does this matter, that the thieves are not able to reconstruct your password? It matters because a lot of people use just a few passwords all over the place, on Netflix and at the bank and at Match dot com and Hulu and Amazon and everywhere else. So if someone can steal a big database full of hundreds of thousands of email addresses and passwords, they can then try all those email addresses and passwords at banks and shopping sites, hoping to luck out and find someone who reused his or her password. Then they rob you.

But that only works if the online company was foolish enough to store your password, right? I mean, if they stored just the hash of your password, everything’s okay. Right?

Well, not exactly.

Hash, Hold the Salt

Two facts make hashed passwords less secure than they could be. One is that people tend not to be very creative in their password choices. (In 2020, one survey of almost 300 million passwords revealed that the most commonly used password was “123456,” which was used for about one percent of all passwords. The password “password” ranked fourth on that list.) The other is that, as mentioned above, people tend to reuse their passwords.

Cybercriminals aren’t stupid. They know that people like to make up easy passwords that they’ll remember. So the cybercriminals create their own big lists of common passwords and variations on those passwords. They include “password,” and “Password,” and “Passw0rd” (which replaces the oh with a zero), and “Password123,” and things like that. They throw in a few hundred of the most obvious password choices, and then they hash that list themselves.

Now, equipped with a list of the hashed codes for the most common passwords, they can scan the stolen password table for matching hash values. If they find one, say 008c70392e3abfbd0fa47bbc2ed96aa99bd49e159727fcba0f2e6abeb3a9d601, they can safely conclude that the password that created that hash was Password123. Then they can try the stored email address and that password at online banking sites, Amazon, etc., and hope they find a match.

The Salt

Online companies aren’t sitting idle while the bad guys come up with all the cool ideas. They’ve worked out a way to make it much harder to perform the attack described above. They’ve added “salt” to the hashed codes. This gets kind of complicated, but what’s important is that it makes the hash values for any given password different from company to company. Trust me, it just works. So even if the bad guys get a list of hashed passwords, their own list of hashed passwords won’t match the one they stole, because the “salt” added to the hash will be different. And even if they know the salt values (which they will, because the salt is stored with the hash of the password in the file they stole), they’ll have to regenerate all of their hash values over and over again for every salt value in the stolen database. And that takes a long time.

As I said, it’s complicated. But it works, and it effectively means that these big tables of pre-computed hash values are worthless, if an online company uses salted hashes. Not all do, but it’s now the standard for password security, and most companies are salting their hashes.

So What’s the Problem? Your Lame Passwords, Probably

So if online companies aren’t storing your passwords, and if they’re salting their hashes like good online citizens, what’s the problem?

The problem is that many people use mediocre passwords, and hashing has gotten very fast. You can thank Bitcoin for some of that. Bitcoin uses the SHA-256 hash algorithm for its proof of work metric (the thing that earns Bitcoin miners their Bitcoins) and, thanks to the market for Bitcoin mining hardware, the average home computer hobbyist can now generate billions of hashes per second using the same kinds of PCs computer gamers use.

You’re probably thinking, “So what? What about that age-of-the-universe stuff? Who cares how fast they generate hashes, it won’t be fast enough, right?”

Well, yes and no. Yes, if people used good passwords, then the bad guys would be out of luck: they’d never guess the right ones. But people don’t use good passwords.

So here’s what the bad guys do. They take the stolen password file, they pick a password hash, and they go to work on it. They take the salt that’s associated with the hash — because that’s one of the things stored in the file — and they use that salt to start generating their own hashes.

What do they hash? They has everything. Hardware is so fast that they can hash every word in the dictionary, and then tack on a digit or two and do it again, and they can just keep pounding away at it until they find a match. But they’re smart enough not to really use every single word. They can use just the words most people might know, and common names, names of bands, things like that. When your desktop PC is generating fifty billion (that’s 50,000,000,000) hashes per second, you can try an awful lot of words.

They aren’t trying to find a different sequence of characters that hashes to the same thing your password hashed to. We’ve already said that that’s simply too hard. They’re trying to find your actual password. And if your password is in the top few tens of thousands of common passwords, they will find it. Then they’ll start visiting the banks and online stores, etc.

What Can You Do?

Most importantly, more important even than having really good passwords, is to have different passwords on each online account. Don’t use the same password for your bank accounts as you do for Netflix or the place you buy your shoes. Don’t use small variations of the same password, like changing the last digit, on multiple sites.

If you share passwords across sites, you’re trusting that (a) every one of those sites is responsible enough to use good, well-salted hashing algorithms, and (b) that your passwords are so cryptic and unusual that the brute force attacks made possible by ever faster hardware won’t stumble upon them. That first assumption is growing safer every day: online companies increasingly take password security seriously. But the second assumption, that your passwords are sufficiently clever to avoid the formidable hardware and techniques used by hackers, grows less sound every year as technology advances, driven in part by the market forces of the cryptocurrency industry.

If you share your passwords across accounts, stop doing it. I know it’s a pain in the neck to have a bunch of different passwords, and it probably seems like writing them all down in one place is a security risk. And it is, maybe, a small one. But it’s essential to your online security.

Published in Technology
This post was promoted to the Main Feed by a Ricochet Editor at the recommendation of Ricochet members. Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Get your first month free.

There are 51 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Gary Robbins Reagan
    Gary Robbins
    @GaryRobbins

    One more post that I don’t want to read, but ought to take seriously.  

    • #1
  2. Henry Racette Contributor
    Henry Racette
    @HenryRacette

    Gary Robbins (View Comment):

    One more post that I don’t want to read, but ought to take seriously.

    Gary, it’s long and probably not interesting to normal people, and you don’t have to read it. Just use different passwords everywhere. ;)

    • #2
  3. RushBabe49 Thatcher
    RushBabe49
    @RushBabe49

    Nope, I don’t use any password for more than one site. Most of mine are phrases not one word, and I have fun thinking of new ones for new sites. I do often use exclamation marks in my passwords. 

    • #3
  4. Gary Robbins Reagan
    Gary Robbins
    @GaryRobbins

    Henry Racette (View Comment):

    Gary Robbins (View Comment):

    One more post that I don’t want to read, but ought to take seriously.

    Gary, it’s long and probably not interesting to normal people, and you don’t have to read it. Just use different passwords everywhere. ;)

    What I have been using for awhile is a specific 7 digit word that has meaning for me.  The word Arizona has seven digits, so I will use it by way of example, it is not my special word.  For the longest time, my password was “arizona.”  If I needed a number, it was “arizona3.”  If I needed to capitalize, it was “Arizona.”  If I needed a symbol, it was “4Arizona!”  I can’t remember passwords for the life of me and am so pleased that my iPhone does visual recognition.  It has been suggested to me that I use random names and numbers and then count on my browser to keep them on file.  It is hard to let go of the simplicity of my seven digit word.

    When I was a child, my parents had me memorize my home address, e.g. 4398 East Miller Road.  Now, my mother, most of my siblings and I have that as our four number sequence (4398) to use to open up voice mail.  

     

    • #4
  5. The Reticulator Member
    The Reticulator
    @TheReticulator

    Henry Racette: Let’s Talk About Your Passwords

    You can talk about them, but I’m not going to.  If I do, I’ll give away some information that the bad guys don’t need to know. In fact, I won’t even write the stuff I just wrote.

    • #5
  6. James Lileks Contributor
    James Lileks
    @jameslileks

    All my passwords are different. I use a password management program to store them, with a master password crafted out of various personal minerals and alloys. But. What if I’m struck by lightning tomorrow? How will my wife figure it out? Can’t just . . . write it down. That would be madness. So I put together a Rosetta Stone diagram with personal details and dates obliquely described, with lines and arrows pointing to the places where the proper characters go. This went into the safe deposit box.

    Problem is, I can’t find the safe deposit box key.

    • #6
  7. Headedwest Coolidge
    Headedwest
    @Headedwest

    This is a post that is difficult to read for non-techies. But it’s important. Thanks, Henry; good job explaining a difficult topic.

    The bottom line is to use different, and at best non-obvious passwords for every thing you use. If you’re on a Mac, you can ask the system to generate a non-obvious password for any site, and the Mac will remember it for you. This is nice, but you won’t necessarily know your own passwords. You can retrieve them and print them out using the Keychain function, but that requires a bit of tech savvy.

    If you are not willing to do the work, you should get (and, maybe pay for) a password manager. You will have to set and maintain a non-obvious main password, but the password management software will take care of all of the individual passwords for you. Some of the popular ones are OnePass, LastPass, Dashlane, etc. They all will help keep you out of the situation where you are either embarrassed or lose money due to password mis-management.

    Read this.

    • #7
  8. Arahant Member
    Arahant
    @Arahant

    I have a random password generator (a simple spreadsheet) that does things like this:

    bdG6Mlt3O1Qq$EuK3JAZkcppRbxzHDKN, q6KO$M&YHImdM8RJ9zdYMT8mg4F2AuCL, or IvQ(KbP6LzZJlsDwAtySX$M7EvHo7t8Y

    Some systems don’t allow 32 characters. Others restrict which special characters one can use. I adjust as necessary.

    • #8
  9. kedavis Member
    kedavis
    @kedavis

    James Lileks (View Comment):

    All my passwords are different. I use a password management program to store them, with a master password crafted out of various personal minerals and alloys. But. What if I’m struck by lightning tomorrow? How will my wife figure it out? Can’t just . . . write it down. That would be madness. So I put together a Rosetta Stone diagram with personal details and dates obliquely described, with lines and arrows pointing to the places where the proper characters go. This went into the safe deposit box.

    Problem is, I can’t find the safe deposit box key.

    Well, at least you didn’t call it safeTY deposit.  Props!

    • #9
  10. Headedwest Coolidge
    Headedwest
    @Headedwest

    Deleted.

    • #10
  11. Vince Guerra Member
    Vince Guerra
    @VinceGuerra

    “Hackers don’t break in, we log in.”

     

    • #11
  12. Matt Bartle Member
    Matt Bartle
    @MattBartle

    Good info. Good advice.

    • #12
  13. DonG (2+2=5. Say it!) Coolidge
    DonG (2+2=5. Say it!)
    @DonG

    2FA is helpful for important things.  That is two-factor authentication, the 6 digit code sent to your phone that you enter after your login credentials.  I use 2FA for any account that involves money. 

    • #13
  14. Stad Coolidge
    Stad
    @Stad

    Henry Racette: For the too-long-to-read crowd, here’s the bottom line: if you’re using the same password(s) all over the place, stop doing that.

    I’m in the process of doing it . . .

    • #14
  15. Stina Member
    Stina
    @CM

    For purposes of simplicity… how does Excel rank on password protected encryption?

    • #15
  16. Annefy Member
    Annefy
    @Annefy

    DonG (2+2=5. Say it!) (View Comment):

    2FA is helpful for important things. That is two-factor authentication, the 6 digit code sent to your phone that you enter after your login credentials. I use 2FA for any account that involves money.

    I use 2FA a lot and was in an absolute panic two weeks ago when the screen on my iPhone stopped responding to touch. Info was coming in, but I couldn’t access it. 

    Spent several hours getting a new iPhone. And then calling around trying to get the damn screen fixed on the old one (found a local young man who put a cracked screen on for free). Am now backing up important apps like 2FA on my iPad. 

    I’ll be spending today changing passwords. I’ve become lazy in that regard. 

    thanks for the prod. 

    • #16
  17. JoelB Member
    JoelB
    @JoelB

    Is the “Forgot password” utility a weak link in the chain?

    • #17
  18. Charlotte Member
    Charlotte
    @Charlotte

    Henry Racette: a mix of personal opinion and mathy stuff, all of which is likely to be correct.

    😂😂😂

    • #18
  19. Charlotte Member
    Charlotte
    @Charlotte

    Sigh. Password and online account management is one of the great and abiding vexations of modern life.

    • #19
  20. Headedwest Coolidge
    Headedwest
    @Headedwest

    DonG (2+2=5. Say it!) (View Comment):

    2FA is helpful for important things. That is two-factor authentication, the 6 digit code sent to your phone that you enter after your login credentials. I use 2FA for any account that involves money.

    Unfortunately, the phone code can and has been compromised. It’s not as safe as it seems.

    • #20
  21. James Lileks Contributor
    James Lileks
    @jameslileks

    Headedwest (View Comment):

    There are people who should not have any online accounts. Perhaps you should consider that.

    ?

    • #21
  22. Henry Racette Contributor
    Henry Racette
    @HenryRacette

    James Lileks (View Comment):

    Headedwest (View Comment):

    There are people who should not have any online accounts. Perhaps you should consider that.

    ?

    He means, James, that with great power comes great responsibility.

    If you let just anyone get online, you end up with Kodachrome retrospectives of Jello molds from the ’50s, and matchbooks. Oh so many matchbooks.

    We’ve got to keep this double-yew-double-yew-double-yew thing under control as long as we can….

    • #22
  23. Skyler Coolidge
    Skyler
    @Skyler

    I use key chain to store my passwords and generate them.  I have no idea what my passwords are.  I have a few non-critical sites that still have passwords I’ve generated, but they’re getting rarer.

    No one should ever use a windoze computer.  They are incompetently unsecure.  Of course they are used by the government but that’s more proof of how bad they are, to be honest.  

     

    • #23
  24. Henry Racette Contributor
    Henry Racette
    @HenryRacette

    Skyler (View Comment):

    I use key chain to store my passwords and generate them. I have no idea what my passwords are. I have a few non-critical sites that still have passwords I’ve generated, but they’re getting rarer.

    No one should ever use a windoze computer. They are incompetently unsecure. Of course they are used by the government but that’s more proof of how bad they are, to be honest.

     

    I understand your opinion regarding Windows. I use a mix of Windows, Macs, and Linux, but most people have a life outside of computing and, realistically, have to use either Windows PCs or Macs in order to get anything done. Windows is an easy target because it’s so dominant on the desktop, but it’s pretty easy to keep it safe if you use a decent antivirus product and are careful not to click email links and attachments too quickly. I’ve probably racked up a century of computer time on Windows PCs without incident. And I actively dislike Apple.

    • #24
  25. Hoyacon Member
    Hoyacon
    @Hoyacon

    Who or what is responsible for the pop ups I occasionally receive informing me that my password has been “exposed” (presumably in a data hack) and encouraging me to change it?

    • #25
  26. Skyler Coolidge
    Skyler
    @Skyler

    Henry Racette (View Comment):
    And I actively dislike Apple.

    You’re missing out.

    • #26
  27. Henry Racette Contributor
    Henry Racette
    @HenryRacette

    Skyler (View Comment):

    Henry Racette (View Comment):
    And I actively dislike Apple.

    You’re missing out.

    I bought my first Mac in 1984, and have done a fair amount of development on the platform. (Try programming on a 128K machine in C++, when you have to swap 3 1/2″ disks between the compile and link phases. ;) ) I use iPhones, because they’re what my kids discard when they upgrade theirs. I just don’t like big tech companies. Microsoft seems the least socially conscious of the bunch, always had an IBM feel to it, “we just American business to give us its money,” that kind of thing. I’d switch entirely to Linux if my customers could use it on their machines, but they can’t.

    • #27
  28. Aaron Miller Member
    Aaron Miller
    @AaronMiller

    What do you techies think of LastPass and similar services? Does one or a few stand out? 

    • #28
  29. Henry Racette Contributor
    Henry Racette
    @HenryRacette

    Hoyacon (View Comment):

    Who or what is responsible for the pop ups I occasionally receive informing me that my password has been “exposed” (presumably in a data hack) and encouraging me to change it?

    I assume you’re using the Google Chrome browser. (Aside: I dislike the Chrome browser because it comes from Google, which I think is an evil company — in the more dramatic sense of evil, rather than merely the casual epithetic sense.)

    Chrome has a feature that checks a record of corporate data breaches to see if your user id (e.g., email address) has been exposed in one or another cyberattack. I don’t know how detailed it is, whether it really verifies that your id was involved or merely checks to see if the company you’re accessing has been compromised, how often it’s updated — I really know very little about it. And I don’t know if anyone else is doing the same thing now.

    I run Brave (because Google, and because… well, type “brave browser” in the Ricochet search field and see), and I don’t get those pop-ups. (However, I do know that my email address has been exposed in at least two corporate hacking events, so perhaps the Chrome feature is worthwhile. I still won’t use it.)

    If you use different passwords everywhere, and change your password if you have reason to believe it’s been compromised (e.g., when Chrome tells you it might have been), you should be fine.

    • #29
  30. Full Size Tabby Member
    Full Size Tabby
    @FullSizeTabby

    James Lileks (View Comment):

    All my passwords are different. I use a password management program to store them, with a master password crafted out of various personal minerals and alloys. But. What if I’m struck by lightning tomorrow? How will my wife figure it out? Can’t just . . . write it down. That would be madness. So I put together a Rosetta Stone diagram with personal details and dates obliquely described, with lines and arrows pointing to the places where the proper characters go. This went into the safe deposit box.

    Problem is, I can’t find the safe deposit box key.

    Plus if you’re dead the bank may not allow your wife to access the safe deposit box until probate happens. 

    • #30