Online Security

30 November, 2021

Are you using a password manager? If you’re not, we recommend you start as soon as you can.

Any of the managers on the market are better and safer than not using a password manager at all. Not only do you only have one password to remember from now on, but all your online accounts will be safer. 

You can come back and read the remainder of this article later if you want. I’m happy to wait for you to go and get yourself signed up for one of these right away.

generic image

All setup and ready to read on? I’m going to spill the secrets of how passwords are stored and how hackers use data to get your passwords. At the end of the article are some tips on how to keep yourself secure online.

How web applications store passwords and why that matters to you

When you login to a website it wants to know who you are.. It uses two pieces of information:

  • One of these is known - eg. your email address
  • the other other is secret - eg. your password.

Together these “prove” you are who you claim to be, and the site will let you in. If both these pieces of information get into the wrong hands someone else can pretend to be you!

There are nefarious people out there who try to breach websites to get this information about people so that they can sell it on. A Spotify or Netflix account is worth about $3 USD, a Paypal account is worth around $1.50 USD. Steal enough information and you can make money selling it on.

For the purposes of this article let’s pretend I’ve setup an account on a website with this information. This is 100% not a real password of mine.

Email: insecure@evoluted.email

Password: squirrel

How it’s stored

There are different ways of storing secret data.
“In the clear” means your email address and password are stored exactly as typed. Anyone with access to the database can read your password. Database administrators can login to the database and see my email address and my password: squirrel

How does that make you feel frog therapist meme

How does that make you feel? I bet it’s rather uncomfortable knowing that your secret password is available in all its glory!

Thankfully this is not the only way websites can store your data, there are ways to disguise your password in the database.

A key approach is known as hashing.

Making a hash of it

This takes a piece of information and turns it into another set of information using an algorithm in a one-way process. Instead of storing my password “squirrel” in the database it creates a hash of it, and stores that instead.

Example:
“squirrel” becomes  “eac074b0503b45740d49b18eb659bcfc”

How does this work? 

Let me introduce you to a cow for a moment. Her name is “Moona Lisa”.

Disclaimer: if you do not eat beef you may want to skip this next part, catch up with us at "A brief history of how passwords are broken".

A cow, a mincer and some mince

In this analogy “Moona Lisa” is our password, the mincer is the algorithm we use, and the minced beef is the hash.

The process is one-way. Putting the meat back into the grinder unfortunately does not reconstitute “Moona Lisa”.

Some mince, a mincer and a cow with a cross through it

This means if you know the hash (e.g. you were in the database and found what is stored instead of my password) you can’t put it back through the algorithm to find out my password is “squirrel”.

Everybody’s password ends up as a different hash. Here’s another cow, whose name is: “Deja-Moo”.

Row 1: a cow, a mincer and some mince. Row 2: a different cow, same mincer, different mince

Both cows (passwords) go into the grinder (algorithm) and come out as different mince (hashes).

The hash of “Moona Lisa” is not the same as the hash of “Deja Moo”  - or the hash of my password “Squirrel”.

Hashes are really important and play a huge role in the online world but how they are stored and handled matters.

A brief history and a quick demo of how passwords are broken

A short tale of woe: Tesco

Back in 2012 if you forgot your Tesco clubcard password the website would happily email you your password - rather than make you set up a new one.

Why was this a bad move? They encrypted passwords in the database using a reversible method, not like the one-way hashing method just described. This meant they were able to unencrypt them to send the “in the clear” password back in an email to you. This meant both pieces of information - email address and actual password were available together in one place making it an attractive prospect for any hacker.

So someone has stolen your data

It’s not common, but it happens. Someone leaves a laptop on a train, or a Snapchat employee falls foul of a phishing scam or the wrong setting made Contact Tracing data public.

If the sensitive data is hashed it is safe right?

A spreadsheet of email address and hashed passwords

The stolen data includes email addresses and hashes. But how does the hacker turn the hash (mince) back into the password (“Moona Lisa”)? They have help, in the form of software tools, but they are a little more subtle that you might expect.

Hashcat is an example of software that can be used to attempt to unhash passwords.

Hashcat

This is a piece of software that generates hashes really fast. It takes lists of words, hashes them and then compares the results to a list of hashes; which means it can be used to figure out passwords.

Using a dictionary of 370,000 English language words checked against 150,000 hashed passwords - how fast is it? It’s somewhere on the scale of “really scary” to “horrifying”

Lisa Simpson screaming

Surely this must just be for short simple passwords? It must be more secure to have a number, a capital letter, a symbol and an emjoi right?

Time for another tale of woe: RockYou

Back in the early noughties RockYou made social widgets and fun apps for your Facebook feed.

  • In 2009 they were compromised and their entire database was stolen
  • They had 32,603,388 user accounts
  • All of the passwords - 14,341,564 unique - were stored “in the clear”

This data breach was shared online although ethically questionable to use, it has since become a treasure trove of data for security researchers

Password patterns

The researchers learned a lot about how people construct their passwords, and there were some common approaches.

  • Keyboard and other patterns e.g. “qwedcxzas”
  • What and where numbers are appended to passwords e.g. “ilovemymum2012”
  • How punctuation and capital letters are applied e.g. “!ILoveMyMum”
  • How many passwords are the same, reused, or just alterations

People who needed to reset their password often just suffixed a number - e.g. “ilovemum1000” changed to “ilovemum1001”.

Back to Hashcat

So now our nefarious hacker has a stolen database of hashed passwords, and has a set of rules for how people create passwords and the 2009 database of RockYou passwords to check against.

All of this can be used as input to Hashcat to figure out what the hashed passwords actually are, and it can do it really fast, even using a standard laptop. With a proper setup (like the ones Amazon rents out for $30 per hour) this could take a few minutes!

Why password rules don’t make passwords secure

To be fair, password rules can help people out - using longer passwords is something I recommend. The problem with password rules is people. 

If you’re creating a great password it’s probably not one that’s easy to remember.

We want life to be easy, and so we cut corners when it comes to passwords. This means people end up using some of those approaches the researchers (and therefore hackers) discovered (ilovemum1000) or writing it on a sticky-note that’s left on the desk.

Making life easier for ourselves just made life easier for the hackers.

Wait what?

Hackers are trying to break ANY password, and this means they could discover yours - or your password could lead them to breaking someone else's.

A lot of the time if the hacker knows your email address they don’t even need to have stolen the database of the site to gain entry - they just need a list of passwords other people have used!

What can you do?

  • Use a password manager (Remember I brought this up at the start of this article.)
  • Make your password as long as the website will allow it to be.
  • Use randomly generated passwords.
  • Don’t use the same password for multiple logins. Keep it unique
  • Use 2FA Two Factor Authentication if the website offers it
  • Check if the passwords you’ve been using has been found in a data breach - if it has change your password!

How to check if your account has been breached

  1. Visit the website Have I been Pwned?
  2. Enter your email address and hit the button
  3. If the email address is recorded in a data breach this site will tell you which site it was.
  4. It will remind you to change your password, and encourage you to use a password manager
  5. Hopefully you’ll get the all-clear message
Screenshot showing the good news that my email address has not been pwned

Links

0 Comments

Leave a comment

Replying to: - Cancel