Massive data breaches over the past several years have shown that you can’t trust online service providers to keep your account information secure. So, if you haven’t done this until now, it’s time to carefully consider what and how you share with such companies, starting with your password.
First off, if you continue to use the same password for multiple accounts across different websites, you’re doing online security wrong. Just head over to HaveIBeenPwned.com and marvel at the list of user databases that have been compromised over the past 10 years.
Go through the descriptions of those breaches and one thing will become clear: It typically takes years before data thefts are discovered by the affected services. During that time the stolen information is sold among cybercriminals who exploit it for profit.
A MySpace breach of 360 million accounts that happened in 2008 only came to light in 2016. A LinkedIn breach of 164 million accounts from 2012 went four years without being discovered and a Dropbox breach of 68 million accounts from 2012 was only acted upon in August 2016. The examples go on and on.
After repeated investigations over the past year, Yahoo, which is now owned by Verizon, recently came to the conclusion that its entire user base of 3 billion accounts was compromised back in 2013.
This means that if you’re confident in your password being safe now, it might take years until you learn that it’s actually been compromised and possibly used to access your information. Be smart and limit the damage: Use one unique password per account.
How are Passwords Hacked?
Websites don’t typically store passwords in plain text in their databases if they follow the minimum security best practices. Instead, they store cryptographic representations of those passwords called hashes.
Hashing is a cryptographic operation that generates random-looking strings of characters that represent data, whether that’s a file or a password. A specific piece of data will always have the same hash and the operation should be irreversible — given only a hash, it should be computationally unfeasible to determine the input that it corresponds to. You can think of hashing as one-way encryption that’s primarily useful for data validation.
In the context of authentication, a website calculates hashes based on users’ passwords when they sign up and then stores those hashes in its database. Later, each time a user logs in, the provided password is hashed again and the result is compared to the value stored in the database. If the hashes match, the user provided the correct password.
It’s important to understand that not all hashing functions provide the same level of security. Some of them, such as MD5 or SHA1, are known to be cryptographically weak and can be broken through brute-force attacks if additional measures like salting — the mixing of input with a random value—are not implemented. That’s because attackers already have huge lists of passwords and their equivalent MD5 or SHA1 hashes so they can simply search stolen databases for already known values.
For example, the 2012 LinkedIn breach exposed password hashes generated with SHA1 without salting and a majority of them were cracked within days. In another case, Adobe used encryption instead of hashing to store the passwords of over 153 million accounts. When the company’s database was compromised in 2013, it was discovered that the encryption implementation was flawed, so the passwords were easily recovered by hackers.
Every time you hear a hacked service provider say that the user passwords were encrypted or hashed, without providing any additional technical details, you should be wary and consider those passwords compromised. There’s simply no way to know if the company’s implementation was solid.
So password reuse is bad, but how do you generate and remember potentially tens of unique and complex passwords for each of your online accounts? You don’t need to because there are specialized apps for that.
There’s a large variety of password managers. Some are open source but lack the more advanced features of subscription-based offerings, which generally include automated synchronization of the encrypted password databases across devices and seamless integration with different browsers and platforms.
The most popular open source password management applications are KeePass and Password Safe. KeePass was originally built for Windows, but it has been ported to most other platforms. There’s also a variety of third-party plugins that extend its functionality, adding synchronization with popular cloud storage providers like Dropbox or two-factor authentication using physical security hardware tokens like YubiKey.
Password Safe is another open source password management application that was originally created by renowned cryptographer Bruce Schneier. It also supports two-factor authentication via YubiKey and has third-party ports for Linux, MacOS, Android and iOS. However, users have to manually synchronize their password databases between devices.
Proprietary solutions like LastPass, 1Password, Dashlane and Enpass have much better integration with browsers and applications out-of-the-box including auto-fill and auto-login functionality. While unlocking all of their features requires a subscription, some of them offer free versions that might be functional enough for most users. Some antivirus programs also have password management utilities built in.
If you choose a cloud-based solution, find one where the password vault is always decrypted locally, on your device or in your browser, and the cloud service is only used to synchronize the encrypted version of the database between devices.
Also, securing all your passwords with a single master password that could also be compromised or stolen by malware is not a good idea. To mitigate this risk, choose a password manager that offers some form of two-factor authentication, where unlocking the password database requires both a password and a code or key generated with a mobile app or a hardware device.
Choosing Complex Passwords
Password complexity matters because it can make password cracking based on stolen hashes very hard, even when the hashing algorithm used is weak. If you change your passwords periodically and a breach happens and attackers manage to crack one of your passwords, they will still have access to it for weeks before you’ll change it again. Therefore, it’s worth taking steps to ensure that even if your password hash is stolen, attackers are unlikely to crack it in a reasonable amount of time.
Passwords should be at least 12 characters long, though you should probably go for more since most websites don’t enforce a limit and you don’t have to remember them anyway. The passwords should contain upper and lower case letters, numbers, as well as special symbols — spaces are also generally allowed.
The good news is that many password management applications provide a password generation function where you can choose the criteria based on which passwords will be constructed.
There will be a few cases where you’ll have to remember passwords. For example, the master password that unlocks your password database or the passwords for very important accounts like email.
Your email is the gateway to most of your other online accounts and can be used for password recovery and reset in situations where you’re unable to access your password management application for whatever reason. Having access to your email is your workaround.
For such important accounts, you should use passphrases: Sentences made up of words, dates and names that are seemingly random to other people, but which make sense to you and can be easy to remember. You shouldn’t use anything predictable based on information that can easily be found online about your life.
Passwords Aren’t Everything
Many online services offer two-factor authentication (2FA) which combines something you know (the password) with something you have (a mobile phone). In addition to the password, these authentication schemes require the user to provide a one-time-use code that’s sent over SMS or email (not very secure), is generated by a mobile app like Google Authenticator or is provided by a dedicated hardware token like a YubiKey or a smart card.
Even when 2FA is enabled, some services allow users to mark their devices as trusted. This effectively disables 2FA when the accounts are accessed from those devices for a specific period of time — for example, 30 days. While this feature improves usability, it’s based on the assumption that those devices are secure and haven’t been compromised, so use it with care. If you have reason to believe that your computer or phone has been compromised, immediately log into your accounts and remove all trusted devices and kill all active sessions — some services allow you to do that.
Feature image via Pixabay.