Disclaimer: I want to start this post by saying that I am, in no way, a computer security expert. However, the details presented here are correct enough to give a background and starting point for anyone who wants to follow up and dig deeper into the fascinating world of password security.

Everything about our daily lives is going up to the Cloud

What’s the Cloud, again? It’s a marketing term for anything that’s an Internet enabled service.

Your email account? That’s on the cloud. Your Facebook account is in the cloud. Your bank details are in the cloud.

What’s the problem with this? Nothing, really.

Unless the company that has all of your details on file (in their cloud) has a data breach. And if it does, you’ll end up on Have I Been Pwned.

Well, not on per se. I mean that your email address will be searchable there.

I’m searchable on there (and I’m not going to go into the details, because both are completely egregious examples of being added to databases and services that I never agreed to being added to in the first place), due to two unrelated data breaches.

Have I Been Pwned example

Have I Been Pwned? Yes I have. Have You?

It’s definitely worth taking the time to see whether your personal details are out there (due to a data breach or leak), and the guy who runs the site is perfectly trust worthy.

In fact, he’s one of the industry experts on this kind of thing.

Data Breaches

The name should be easy enough to parse, but a data breach is when someone breaks into a secure system (say your Bank’s computers) and makes a copy of the data that is stored there (say, account names and balances) for their own nefarious purposes.

Data breaches are not a new thing. Ever since the idea of organised businesses was created, there have been competitors who have wanted to steal their ideas and information. Then computers came along and data breaches got easier. Then the Internet came along and they got even easier.

OK, computer systems have become more secure since the early 70s.

Because security is ALWAYS an afterthought it wasn’t baked into how computers or the Internet worked from the begining, and we’ve been playing catch up ever since.

In some ways they’ve become less secure. The best IT folks out there will tell you, more than likely through the promise of anonymity, that even the best businesses have issues with their security. Most likely due to the users to of the system, but not always.

Users are bad? Yeah.

What Did Users Do?

Kevin Mitnick is a person who became infamous in the late 80s and early 90s for his escapades relating to computer security. He had spent his teenage years hanging around with Phreakers. These days, Phreakers would be called Hackers.

These were people who had figured out that there was a test tone on AT&T phone lines (around 2600 Hz), and if you played it down the phone before dialling, then your call would be free.

It’s so famous within the “hacker” community that there is a magazine named after it.

Soon after figuring out that the 2600 Hz tone would get them free phone calls, they started to learn other ways to get free things. Mainly they were after free access to computers or BBS‘s.

BBS’s were what we had before The Internet came along. Accessing them required a computer (which were expensive at the time) and an unmetered phone line (again, expensive).

To get access to these, Phreakers would spend their time figuring out how to get into buildings, and guessing (and resetting) passwords. They came up with a bunch of techniques:

  • Dumpster diving (for passwords that had been written down, and then thrown into the trash)
  • Creating fake IDs
  • Talking their way into the building
  • Calling random workers, pretending to be an employee and asking for favours

As a side note: the movie Sneakers, whilst fictionalised and mostly fantasy, shows how to use a bunch of these techniques in order to break into systems.

All of this falls under the umbrella term “Social Engineering”

Social Engineering?

Imagine the situation:

You’re at work, sitting at your computer working on some big project. Your desk phone rings, it’s Dave from IT. He’s new and is calling round to introduce himself.

Hey, this is Dave from IT. I’m still pretty new here and Steve, my boss, has asked me to install an update on everyone’s computers. I could walk up there with it on a USB and install it on each computer in turn, but that would take hours he wants it done now. Could you do me a favour and let me run it on your computer from here? It’ll save me a lot of hassle.

You will? Awesome, thanks. I’ll need your username and password, and you’ll need to not use your computer while I do it  – maybe grab a coffee or something. I owe you a beer, seriously. Thank you for saving my bacon.

What if Dave doesn’t actually work in IT? Have you ever met Dave or Steve? Was there an email or announcement that there was a new person starting in IT. Did you even pay attention to the number that came up on your phone (most internal lines will be a lot shorter than external ones – although, these can be easily faked)?

You’ve just given access to your computer to someone that you potentially don’t know.

This is an extremely simple example, but it happens every day. Why? Because we have a need to be helpful. It’s why we hold doors open for people, or pick things up when someone drops them. Because we’re social creatures, and being helpful is polite and expected from us all.

For more examples of how this is done, go watch Mr. Robot. It’s a fictional TV show, but there are some real security professionals who work on the show and some pretty realistic examples of how hacking is done.

The “Hi, this is Geoff from Microsoft,” calls have been happening to my friends a lot more, recently. This is another example of social engineering and they usually have the same format:

I can see that your computer has a virus on it. I need you to go to this website, download some software and I can fix it for you, from here. I’m from Microsoft, remember.

No. This person, whoever they are, are not from Microsoft. They’re a crook, and are tying to social engineer you into giving them access ot your computer. The key questions to ask yourself here are:

  • How did they get my phone number?
  • How do they know my name?
  • Why haven’t they called anyone else that I know?
  • How can they see that my computer have a virus on it?

One of my friends once asked the guy who’d called him this last question. The response from the “Microsoft Engineer” was a scripted, “We have an application that sweeps the Internet looking for computers with issues,” sort of thing. But when my friend asked the “Microsoft Engineer” how they could do this, considering that he didn’t have access to the Internet he was promptly hung up on.

What Does This Have To Do With Passwords?

Passwords are a hot topic. Even sciencey web comic XKCD has weighed in on it: https://xkcd.com/936/

Even a quick Google for password related topics returns millions (if not billions of results). If there is so much advice out there, then why do we still need to learn how to make safe passwords?

Because passwords, like security, are almost always an after thought.

Be honest with me

I’ll never know anyway, seeing as this text.

How many of your online accounts have either “password”, “password1” or something similar as their passwords? How many of them have the same password as another account? Does your Facebook account have the same password as your Gmail account?

Here is a link to one page (of thousands) that contains the most commonly used, and therefore worst, passwords of 2011 into 2015

See.

The biggest problems with passwords are:

  • Password reuse – is your Amazon password the same as your Twitter password?
  • Password entropy

Password Reuse

Let’s say you have a Facebook, a Gmail and an Amazon account. Let’s also say that you used your Gmail account to create your Facebook and Amazon accounts. For the purposes of example, lets say that your Gmail address is something like “RealEmailAccount@gmail.com”

This means that your usernames for both Amazon and Facebook are RealEmailAccount@gmail.com

Let’s say that I guess your email account password. Actually here’s the more likely example: let’s say you signed into your email using some public or work computer and forgot to sign out.

If I can get access to that email account, I know how access to your Facebook and Amazon accounts.

Even if your passwords are different for each of these services, all I need to do is reset your password and I’m in.

Not a big problem? Are you sure about that?

Facebook will have your real name, phone number, a list of your friends, your work place, your home on it, and a list of places that you have been recently.

If you’ve entered any of this data, that is. And, let’s be honest, you have.

Amazon has your real name, phone number, address, business address (if you’ve ever had anything delivered to work), address history, and credit card information.

Still not a big deal?

Here’s the more likely situation: You sign into Facebook on a public or work computer and forget to sign out. From the Facebook account, we can get to your email account, from your email account, we can get to your Amazon account.

Heaven forbid you use the same Gmail account for work, too. That was the biggest issue with the LinkedIn hack – since it’s used primarily by business folks, with their work email…

And all that because you used the same password for them all.

And none of this has even touched actively trying to hack into these accounts by cracking the passwords.

Password Entropy

The extremely short version is that the longer a password is, and the more random characters it uses (without any that repeat), the harder it is for a person or a computer to crack.

If you want to read more about how entropy is estimated, you can read the wikipedia article on it, here.

I’m also well aware that it makes it more difficult to remember too (more on that, in a moment)

When a computer is trying to break a password, it has two basic ways of doing it:

  • Brute Force
  • Rainbow Tables

There’s actually loads more ways to do it, but these are the most often used.

Brute Force Attacks

Brute Force is what most people do when they forget their password.

I’m sure that it was password12345.

Wait! It isn’t?! Maybe password123456.

What?! Maybe it’s password1234567.

Except that a computer can do it millions of times a second. Usually they’ll either use a dictionary attack or just start at the beginning of the alphabet and work up, adding a letter at a time, until they get in (or the system locks them out).

Dictionary attacks are basically when a computer uses a file which contains all the words from a dictionary (might be the English dictionary, or a list of common words and phrases) and tries each one in turn.

But most of the time they use lists of the most common passwords (like this one, which I linked to earlier)

Rainbow Tables

Rainbow Tables are a little more complex.

Your password will, hopefully, not be stored by the website, app, or service as plaintext.

Plaintext is what you’re reading right now, you don’t need any kind of decryption system to figure out what these words are. So a plaintext password might look like this:

p4ssw0rd

Whereas an encrypted version of p4ssw0rd might look like this:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

That example uses SHA-1 to encrypt the password. SHA-1 is NOT secure and shouldn’t be used for securing passwords.

Because good websites only store the encrypted version of the password and check that against the encrypted version of what you type, there should never be a way for anyone to guess what the encrypted password actually is.

A good website will “hash” your password (put it through some kind of mathematical equation that will swap all of the characters with something else), but it will also use a “salt” (something that is added to the encryption to add a layer of randomness) before storing your password in their database.

When you enter your password on a login screen, it is passed through these hasing and salting algorithms and THAT is what’s checked against the record of your password in the database.

Well, it is if they don’t store your password in plaintext

Because going from the plaintext password to the encrypted version is a difficult thing for a computer to calculate, there are groups of nefarious people who have done the hard work for you already. What they produce is Rainbow Tables.

These are collections of the most common passwords (from other leaks) that are already hashed and salted using a range of different encryption methods.

The idea behind these is that, once you’ve made a copy of the website database, you can look at the password fields and figure out which encryption system was used. Then you can use a known decryption system (usually reverse engineered) against all of the passwords in the database, and you’ll have them in hours (versus days and weeks of brute forcing the decryption of a single password).

A very basic version of this was used by the Bombe to break Enigma: figure out the common words and phrases, then use that decryption key to figure out the rest of the message.

What Can I Do?

Very little.

Pretty bleak, huh.

If the folks who made the websites and services that you used have protected your password then you should be ok. But only if you use completely different passwords for each website or service that you have an account on.

Seriously, you need different passwords for different things. If I’m able to figure out your password to your Facebook and you use the same password everywhere, then what’s stopping me from logging into your iCloud.

That sounds familiar

In fact, go check one of your passwords here: https://www.grc.com/haystack.htm

Before you ask: I’ve checked, nothing is sent back to any kind of server or stored anywhere.

What that GRC link will do is tell you just how long it will take a computer to guess your password. In fact, here’s what happens when you give it “password”:

GRC Haystack Password

How long it would take a computer to crack the super secure password of “password”

 See.

 Unique Passwords

Your absolute best bet to reduce the chances of it happening to you is to always use a unique password. But to be able to do that, you should be looking to use a password generator.

There’s an awesome one over on codeshare, which is free to use and adhere’s to the OWASP password guidelines.

Seriously, go try that password generator out. It’s super cool.

Now that you’ve generated your super strong password, how are you going to remember it? Well, that’s where password managers come in.

The idea with these is to store all of your passwords in one encrypted file with a master password being used to unlock them. I’m not going to compare them, because greater minds than mine have done that for me.

And there are a lot of them out there.

But I will recommend two fantastic password managers:

What’s the difference?

Well, LastPass stores your passwords on the cloud and KeePass stores them on your computer.

Depending on whether you want to be able to access your passwords on the go, or just on your computer will define which of the two you could use.

So in conclusion:

  • Don’t use the same password in more than one place
  • Use strong passwords everywhere

Jamie is a .NET developer specialising in ASP.NET MVC websites and services, with a background in WinForms and Games Development. When not programming using .NET, he is either learning about .NET Core (and usually building something cross platform with it), speaking Japanese to anyone who'll listen, learning about languages, writing for this blog, or writing for a blog about Retro Gaming (which he runs with his brother)