/ Tutorials

An Ode to Passwords

Passwords suck. We go through strategies to make your life easier.

Imagine this: You’ve forgotten your password to access your favourite website. You speak to a customer service rep and ask for a reset.

They reply with a message:

“Hi , your new password is '7WSCuv][email protected]%Fe:Xs<>7_EdP5M>:LQc[sd{`a9n2}Pu%Up3RD<5Z\c}-:v}9T:6kr![L^/]*dk#>#b8A^r&d8pf;%7>Pkz^?rapA\[email protected],[email protected]?n$aYhsFX[”

(Let’s set aside how bad practice that is.)

That’s 128 characters long, small and large caps, special characters with numbers, oh and did I not mention it’s 128 characters long?

For all intents and purposes, it’s a strong password. It’s pretty hard to refute that.

New Password

But now you have to type that password in whenever you want to log in. Great! We have a secure password! Except… you’re not going to remember all that. In all possibility, if your customer rep sends you a password that long and complicated then in all likelihood they hate you.

What did you do? Break a keyboard or forget your login one too many times?

Of course, this scenario isn’t something that happens anymore, it’s bad security practice for a system to store user passwords in plain text. If it does then the software or service you are using has an outdated security policy, and you probably shouldn’t trust it with your data.. The truth is that nobody likes passwords. Not you, not your IT administrator, not cybercriminals. And yet, it’s a crucial step to protecting your online stuff, but when you, yourself have to both remember and type it in in.

Now, maybe you can afford the time and slight increase to risk to just reset the password via magical link on an email to make a new one. Assuming your password isn’t as simple as a ddmmyyyy of your son/daughter/mother/father/auntie/pet rock’s birthday, that’s your alternative.

How Computers Store Passwords

There is absolutely no reason to make choosing passwords a painful experience.

First, we have to look at your password even is from the system’s point of view. Not asleep yet? Let’s go!

A password is a ‘string’, sure, but your password is actually stored in a variety of ways.

Let’s touch on some.

Plain text: Yup, even in 2018 this is a thing. You look at accounts on the backend you might see a username:password pair like Bob:BobLovesAlice.

Encrypted passwords: There’s a few types of these. Still better, but on the backend, your login and password are still stored, and if it’s together (say, on a table in a database) then it’s just as bad. The big difference is that it gets transmitted ‘securely’, so if someone intercepts the message, then they won’t necessarily see your password. Then they have to crack it (and they can).

Password Hash: Getting better. This is a hash of your password, not your password itself. Majority of sites and services use this, and we’re getting into the more technical end.

Password hash

Salted Hash: This is the same as a password hash, but it adds a ‘salt’ to your password before it hashes it. This basically makes the hash unique to the individual. This practice as far as passwords go is feasibly best practice.

Look. When it comes to breaking passwords each type above gets progressively harder as you go down. Plain text is like a heavy handle. Encrypting your password is like putting a lock on the proverbial door; the password hash is like a lock made out of a rubik’s cube and a salted hash is like having a rubik’s cube at different starting points based on who’s door you’re trying to open.

How to Make Passwords Less Painful

So now we understand how our passwords work… we need solutions. We also need to be serious about our solutions because they need to be practical.

Here’s a few simple tips that have been repeated ad nauseam:

  • Have between 8-16 characters.
  • Use mixed case.
  • Have at least X special characters.
  • Have at least X numbers.

Boring. It’s very likely you’ll be forced to make a password that complies with any number of these rules and while they are good advice (if limited), it gets very annoying to have to come up with long word with a convoluted change of some characters into numbers (e.g. bA55Hun1er).

Here’s practical advice that you’re likely to get:

Use a password wallet.

Wow

Great idea. Do keep in mind that you’ll have to make sure that that you guard that particular password with your life - but if you’re going to put all your eggs in one basket, that’s probably the best. But you still need to come up with a password that is practical and that you can remember.

In that, my tips are:

  • Go long. It’s strange to say this, but thisverybigpasswordthatisimpossiblylongevenforsomewebsitestoevenallow is mathematically harder to guess than mYF00tyT3Am.
  • Try a sentence including both a special character and a number.

My2CentsIsThatMostPasswordsHave1And!

xkcd #936

Sure, this:
'7WSCuv][email protected]%_Fe:Xs<>7_EdP5M>:LQc[sd{a9n2}Pu%Up3RD<5Z\c}-:v_}9T\:6kr![L^/]*dk#>#b8A^r&d8pf;%7>Pkz^?rapA\[email protected],[email protected]?n$aYhsFX[
...might be a strong and secure password. But good luck remembering it.

For now. /endrant

CryptoAUSTRALIA is participating in the Privacy Awareness Week with two exciting events in Sydney and Brisbane.

CryptoAUSTRALIA provides the opportunity for professionals within the digital privacy and security community to publish in this blog. Please feel free to contact us if you have something interesting to say.

Jeremiah Cruz

Jeremiah Cruz

Jeremiah is a Network Security Associate and gaming enthusiast. He educates through story-telling and challenging practised norms. He eats, drinks and knows things.

Read More
An Ode to Passwords
Share this

Subscribe to CryptoAUSTRALIA Blog