Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
This is going to be a mix of personal opinion and mathy stuff, all of which is likely to be correct.
For the too-long-to-read crowd, here’s the bottom line: if you’re using the same password(s) all over the place, stop doing that.
The hacking of a major energy pipeline company this past week is much in the news, and that has me thinking about cybersecurity.
Most of us face two significant threats, in terms of cybersecurity. One is that we’ll fall victim to a virus, like the ransomware attack that crippled Colonial Pipeline last week. I don’t worry about that because I run a good anti-virus product (Bitdefender, which I’ve used for many years and like because it’s cheap, effective, and unobtrusive), use its ransomware protection, and have a firewall that tries to keep unwanted guests off of my network. I also back up my work fairly often; I feel my own data is reasonably safe.
The other threat we face has to do with our online passwords. Unless your current way of managing your passwords is cumbersome and annoying, you’re probably doing it wrong and really should consider making your own life less convenient. Let me explain.
Most of us have lots of passwords for personal and work computers, online services, and the occasional devices around our homes. I don’t know how many you have (because I’m not the NSA), but my list currently contains more than 600 entries. I’m probably an outlier, since I work in the computer industry and have a lot of client passwords, etc., tucked away. My own personal passwords number in the several dozens, considering all of the banking and online services, entertainment, vendor, etc. sites that I visit. You’re probably similar.
You probably count on your browsers to remember most of your passwords for you. I certainly do. I couldn’t tell you my Ricochet password, my Facebook password, my MeWe password, nor any of my vendor passwords, because I don’t know them. I know how to log into my bank and into Gmail, but not into any of my routers or devices, nor most of my accounts on my clients’ servers.
I keep all those passwords in an encrypted database and pull them up when I need them. (The password to that database is one password I do remember, and it’s pretty long.) I need to do that because my passwords are all different, every single one of them. Each is a little absurd, a combination of two “words” at least one of which isn’t a real word, each of which contains a capital letter (though not always the first), the words separated by a non-alphabetic, non-numeric symbol, the entire sequence beginning and ending with another non-alphabetic symbol one of which is a digit and one of which is not. Their average length is 18 characters.
I don’t worry about the fact that my browser knows my passwords. I don’t worry about having them all in one file; a file that could, conceivably, be hacked by some cyber-villain. I don’t worry about that because the greatest risk I face, in terms of my online security, isn’t that someone will break into my computer and steal my passwords. Rather, it’s that someone will break into a poorly maintained online server and steal all of the passwords on that server, mine included. And that’s the greatest risk you face, as well.
How Companies Store Passwords
They don’t. Oh, a few might, but no competent online company actually stores your password anymore. What they do is take your password and hash it. That means they run it through a mathematical algorithm that changes it from plain old text into something numerical and random-looking. Then they store that hashed value.
For example, if your password was
a hash of that might be
That’s what’s called an SHA-256 hash, a mathematical transformation of, in this case, my daughter’s dog’s name and my daughter’s birthday, into a long string of hexadecimal digits (actually, 256 bits of binary data).
Why would anyone do that, instead of just storing your password the way you typed it in? More importantly, how will they know that it’s you, the next time you log in if they don’t store your actual password?
The answer to the last question is pretty simple: when you enter your password the next time you log in, they’ll run it through that same hashing algorithm and come up with the same great big number. One of the special things about these hash algorithms is that they produce very random-looking output for any input, but they always produce exactly the same output for any given input. And, in addition, that output looks very different even if the input is almost exactly the same.
For example, if I change a single character of my example password, say changing my daughter’s birthday by a single digit, to
the subsequent hash comes out like this
That single-digit change to the password produced a hash of the same length, 64 hexadecimal digits, only nine of which happen to match the previous hash value. (That’s actually about twice the number of matching digits as one would expect from a purely random sequence. I ran another hash with Lucy021700 and got only two matches, half what I’d expect from a purely random sequence. The thing about random is that, well, it’s hard to predict.)
Since hashes tend to change very quickly when even a small change is made to a password, the likelihood that someone else will make up a different password that just happens to have exactly the same hash value is… well, it’s small. It’s not likely to happen.
(How unlikely is it, to find two different text strings that create the same hash value? If every single human being generated a billion hashes per second, every second, and started when the universe began, and did that until the universe faded into tepid entropic grayness, the chances are vanishingly small that they’d find any two sequences of characters that hashed to the same value. It’s just pretty darned unlikely.)
So that answers the second question: they can log you in without knowing your password because they know the hash of your password, and nobody is likely to figure out some other password that has the same hash. If you have such a password, you’re probably really you.
But that leaves the first question: why do this? Why not just store your password, and skip all the fancy math?
That’s easy: they save the hash because they care about you. More specifically, they care that you don’t sue them or otherwise compromise their financial integrity in the event that someone steals their password lists. By saving the hash of your password rather than the password itself, they can be confident that, if someone does break in and steal their password database, they won’t get your real password.
They won’t get your real password because of the other great things about hashes: you can’t reverse them. You can’t turn that 64 character number thing back into my daughter’s dog’s name and my daughter’s birthday. The process of hashing either loses information or so scrambles it that no one knows how to unscramble it — no one is even sure that it can, in theory, be unscrambled. (And yes, there are some really interesting questions here that we’ll completely ignore, because they really don’t matter for this discussion and, frankly, I don’t understand the math.)
Why does this matter, that the thieves are not able to reconstruct your password? It matters because a lot of people use just a few passwords all over the place, on Netflix and at the bank and at Match dot com and Hulu and Amazon and everywhere else. So if someone can steal a big database full of hundreds of thousands of email addresses and passwords, they can then try all those email addresses and passwords at banks and shopping sites, hoping to luck out and find someone who reused his or her password. Then they rob you.
But that only works if the online company was foolish enough to store your password, right? I mean, if they stored just the hash of your password, everything’s okay. Right?
Well, not exactly.
Hash, Hold the Salt
Two facts make hashed passwords less secure than they could be. One is that people tend not to be very creative in their password choices. (In 2020, one survey of almost 300 million passwords revealed that the most commonly used password was “123456,” which was used for about one percent of all passwords. The password “password” ranked fourth on that list.) The other is that, as mentioned above, people tend to reuse their passwords.
Cybercriminals aren’t stupid. They know that people like to make up easy passwords that they’ll remember. So the cybercriminals create their own big lists of common passwords and variations on those passwords. They include “password,” and “Password,” and “Passw0rd” (which replaces the oh with a zero), and “Password123,” and things like that. They throw in a few hundred of the most obvious password choices, and then they hash that list themselves.
Now, equipped with a list of the hashed codes for the most common passwords, they can scan the stolen password table for matching hash values. If they find one, say 008c70392e3abfbd0fa47bbc2ed96aa99bd49e159727fcba0f2e6abeb3a9d601, they can safely conclude that the password that created that hash was Password123. Then they can try the stored email address and that password at online banking sites, Amazon, etc., and hope they find a match.
Online companies aren’t sitting idle while the bad guys come up with all the cool ideas. They’ve worked out a way to make it much harder to perform the attack described above. They’ve added “salt” to the hashed codes. This gets kind of complicated, but what’s important is that it makes the hash values for any given password different from company to company. Trust me, it just works. So even if the bad guys get a list of hashed passwords, their own list of hashed passwords won’t match the one they stole, because the “salt” added to the hash will be different. And even if they know the salt values (which they will, because the salt is stored with the hash of the password in the file they stole), they’ll have to regenerate all of their hash values over and over again for every salt value in the stolen database. And that takes a long time.
As I said, it’s complicated. But it works, and it effectively means that these big tables of pre-computed hash values are worthless, if an online company uses salted hashes. Not all do, but it’s now the standard for password security, and most companies are salting their hashes.
So What’s the Problem? Your Lame Passwords, Probably
So if online companies aren’t storing your passwords, and if they’re salting their hashes like good online citizens, what’s the problem?
The problem is that many people use mediocre passwords, and hashing has gotten very fast. You can thank Bitcoin for some of that. Bitcoin uses the SHA-256 hash algorithm for its proof of work metric (the thing that earns Bitcoin miners their Bitcoins) and, thanks to the market for Bitcoin mining hardware, the average home computer hobbyist can now generate billions of hashes per second using the same kinds of PCs computer gamers use.
You’re probably thinking, “So what? What about that age-of-the-universe stuff? Who cares how fast they generate hashes, it won’t be fast enough, right?”
Well, yes and no. Yes, if people used good passwords, then the bad guys would be out of luck: they’d never guess the right ones. But people don’t use good passwords.
So here’s what the bad guys do. They take the stolen password file, they pick a password hash, and they go to work on it. They take the salt that’s associated with the hash — because that’s one of the things stored in the file — and they use that salt to start generating their own hashes.
What do they hash? They has everything. Hardware is so fast that they can hash every word in the dictionary, and then tack on a digit or two and do it again, and they can just keep pounding away at it until they find a match. But they’re smart enough not to really use every single word. They can use just the words most people might know, and common names, names of bands, things like that. When your desktop PC is generating fifty billion (that’s 50,000,000,000) hashes per second, you can try an awful lot of words.
They aren’t trying to find a different sequence of characters that hashes to the same thing your password hashed to. We’ve already said that that’s simply too hard. They’re trying to find your actual password. And if your password is in the top few tens of thousands of common passwords, they will find it. Then they’ll start visiting the banks and online stores, etc.
What Can You Do?
Most importantly, more important even than having really good passwords, is to have different passwords on each online account. Don’t use the same password for your bank accounts as you do for Netflix or the place you buy your shoes. Don’t use small variations of the same password, like changing the last digit, on multiple sites.
If you share passwords across sites, you’re trusting that (a) every one of those sites is responsible enough to use good, well-salted hashing algorithms, and (b) that your passwords are so cryptic and unusual that the brute force attacks made possible by ever faster hardware won’t stumble upon them. That first assumption is growing safer every day: online companies increasingly take password security seriously. But the second assumption, that your passwords are sufficiently clever to avoid the formidable hardware and techniques used by hackers, grows less sound every year as technology advances, driven in part by the market forces of the cryptocurrency industry.
If you share your passwords across accounts, stop doing it. I know it’s a pain in the neck to have a bunch of different passwords, and it probably seems like writing them all down in one place is a security risk. And it is, maybe, a small one. But it’s essential to your online security.Published in