Let’s talk passwords

Protect yourself from hackers

Once a new security breach occurs, a common alert seems to follow. “We recommend changing your password.” It’s become a common place that companies who’ve been breached suggest user change their passwords.

What happens when passwords are stolen? And why should you change them after a breach? In this lesson, we will cover how passwords are stored when you create an account, what hackers do to discover passwords after they steal them, and what you can do to prevent yourself from falling victim.

Creating and storing passwords

When you create a new account for a web service, you are prompted to create a password. This is to prove you have the rights to view data that is specific for your account (such as accessing your email account). Once you have created this password, it will run through a function known as a hashing function

Wait, what’s a hashing function?

When you enter your password, you are entering input. A hashing function is a function that takes the input, analyzes it, and gives you back something that is unique. Each password you enter will create a different output once it passes through the has function.

Let’s look at an example. Go to this website and enter a word in the “String Hash” box. Once you press the “Hash” button, scroll down to see the output. The table shows you two different fields, the hashing algorithm and that algorithm’s output. You’ll see that the output is a mix of numbers and letters in range of A-F. This output is known as hexadecimal. If you want to learn more about how binary becomes hexadecimal, click here.

While all hashing algorithms follow the same concept, each hashing algorithm has different steps and guidelines on how to create its unique outcome. A key difference in some hashing algorithms is the bit size. As you know, a computer understands only 1s and 0s. The more bits an algorithm has, the more 1s and 0s there are, therefore creating more combinations.

Hashes of the word “hello”.

For example, the algorithm SHA-256 uses 256 bits, as the same suggests. Since each bit doubles the values of the previous bit, there can be a VERY large number of combinations. If you were to do 2256 (2 to the power of 256) on a calculator, the number won’t fit on the screen!

While looking at which algorithm to use, programmers also look into something called collision resistance. A collision with hashing algorithms is when two different inputs that run through the hashing algorithm give the same output.

For example, imagine passing “password” through the MD5 algorithm to get the unique output. You then pass through “GreatJob” through the MD5 algorithm and notice that the output is the same. This is a collision. Newer, more advanced algorithms have increased collision resistance.

The benefit of hashing passwords is that hashing is a one-way method. This means you can’t pass the output back through the hashing function and expect to get the original input.

How hackers steal passwords

When a hacker looks to steal passwords to gain unauthorized access, they use different methods to help them get the passwords they need. Like everyone else, they tend to try the easier methods first.

Snooping around the office

Photo by Lukas on Pexels.com . NEVER WRITE YOUR PASSWORDS DOWN WHERE THEY CAN BE SEEN IN PLAIN SIGHT!

According to a survey late last year, 39% of responders indicated they write down their passwords to remember them. This is the easiest method for hackers! Hackers will try to find information in plan sight to help their plans since this requires the least amount of work and takes the least amount of time.

Hackers will also dumpster dive outside offices in hopes of finding information they can use to run their attacks. If you have sensitive information you want or need to throw out, make sure to use a shredder so an attacker is less likely to gain access to this sensitive data.

Phishing for some bites

Phishing is when the hacker reaches out to their target(s) via email or text message posing as a legitimate individual or institution in hopes that their target(s) will provide the information the hacker is looking for.

Example of a phishing text message.

If you are using a desktop computer, you can hover over any links that are included in an email. If you look to the bottom of your screen, you can see what the link will send you if you were to click it. If you see it will send you somewhere very odd, it’s a clear sign that you are dealing with a phishing email.

Example of a phishing email. Notice the odd email address the email is from, and the very long link you would be directed to if you pressed unsubscribe.

While some emails are clearly phishing attempts (such as an unsolicited email, or something filled with grammatical errors), some phishing emails will look exactly like the real thing. If you think something is off, don’t be afraid to ask the sender if it’s legitimately from them. In other words, never be too cautious!!!

Using brute force

We have established that passwords are stored in a hashed state. So that means we’re all safe, right? Not quite. When hackers steal the hashes stored, they can run programs that will brute force the password. This means they will try different passwords and combinations to find out what the password is.

Whenever you create a password, you will see that the requirements usually need 8 characters minimum, with a combination of upper and lowercase letters, numbers, and a special character, such as the $ sign. You will also see that it’s recommended you don’t use dictionary words as your password, or common passwords.

The reason you will see these recommendations is because hackers can use a variant of brute force called dictionary attacks. In a dictionary attack, the hacker gives the program they are using a file filled with words from the dictionary or some of the commonly used passwords (you can even find a file of the most commonly used passwords online). Because the program doesn’t have to keep trying different combinations, if a word in the file produces the same hash, the hacker can discover the password rather quickly, sometimes even instantly!

An even faster method is the use of rainbow tables. These tables contain passwords in plaintext and the possible hashes based on the algorithm that was used. Once the rainbow table is provided to the password cracking software, it will compare the stolen hash to all the hashes within the rainbow table. Depending on how powerful the hacker’s computer is, rainbow tables can crack passwords of 14 characters very quickly!

If these two methods don’t return a password back, the program will then try the brute force method. Hackers usually provide the program with a guess of how long the password is through a range. This means the hackers can tell the program the minimum number of characters the password MAY have to the maximum number of characters. After they provide this information, along with the stolen hash, the program will try every single possible combination until it gets a match.

Depending on how strong the password is, the hacker will be long gone before the program gives them the password. This video shows how a program can brute force a pin number if you are interested in seeing brute force in action.

How to keep yourself protected

Fortunately, it’s not rocket science to keep yourself protected from having your passwords stolen and cracked. Experts say you should aim to have a minimum of 12 unique characters for your password, although you should try to have more. You can use a password manager if you have difficulty remembering your passwords, especially if you’ve made them rather complex.

Another thing you should make sure to practice is creating a different password for each website or service you use. Yes, this will make remembering what password belongs to what website or service a lot harder. When you think like a hacker, however, you’ll realize that hackers will attempt you use the stolen password on other services you may use. And if you use the same password for everything, the hacker will have access to more than you could imagine.

And finally, make sure you change your passwords, especially if you receive an alert from a website. How often you change your passwords besides this, really, is up to you.

Wait, didn’t you say rainbow tables can break password of 14 characters quickly?

Photo by Artem Beliaikin on Pexels.com

While rainbow tables can certainly break passwords easily, most system administrators salt passwords. A password salt is when random characters are added to the password the user has given before it’s passed on to the hashing function. Because each user has their own unique salt, the hashes will always be different, even if multiple users have the same exact password.

Conclusion

Yes, it seems that security breaches are on the rise. With technology becoming more powerful every time you blink, the need for stronger security increases. By becoming aware of your password habits, and making good decisions on determining your passwords, you can make it harder for hackers to take control of your digital presence.

Sources

Brecht, Daniel. “Password Security: Complexity vs. Length [Updated 2018].” Infosec Resources, 20 Sept. 2019, resources.infosecinstitute.com/password-security-complexity-vs-length/#gref.

Gibbs, Samuel. “Passwords and Hacking: the Jargon of Hashing, Salting and SHA-2 Explained.” The Guardian, Guardian News and Media, 15 Dec. 2016, http://www.theguardian.com/technology/2016/dec/15/passwords-hacking-hashing-salting-sha-2.

Lord, Nate. “Uncovering Password Habits: Are Users’ Password Security Habits Improving? (Infographic).” Digital Guardian, 14 Dec. 2018, digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic.

Rouse, Margaret, and Matthew Haughn. “What Is Rainbow Table? – Definition from WhatIs.com.” WhatIs.com, Jan. 2015, whatis.techtarget.com/definition/rainbow-table.

“Understanding Password Authentication & Password Cracking.” Wordfence, 25 June 2018, http://www.wordfence.com/learn/how-passwords-work-and-cracking-passwords/.

“Understanding Rainbow Table Attack.” GeeksforGeeks, 10 June 2018, http://www.geeksforgeeks.org/understanding-rainbow-table-attack/.

“What Are Hash Functions.” Learn Cryptography, learncryptography.com/hash-functions/what-are-hash-functions.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: