<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=158001101211973&amp;ev=PageView&amp;noscript=1">

I Hate Passwords Too: A Quick Guide to Secure Passwords

Sep 22, 2016 9:00:00 AM

I Hate Passwords Too: A Quick Guide to Secure Passwords

I’m not sure anyone likes passwords.  They’re clumsy, hard to remember and increasingly easy to crack. There are a few things you can do, however, to make your passwords easier to remember and more secure.

How Passwords Work

A well-written program (which is most today) will not directly store passwords in its database. Direct storage makes it so that anyone with read access to the database (like the system administrator) can easily see the password and steal it. This is dangerous for everyone. 

Instead, a good programmer stores the password hash in the database. This is a long string of numbers and letters that are generated by a hash algorithm. This is a one-way mathematical function that always generates the same result from the same input, but can’t be worked backward to determine what that input was. MD5 is a common hash function today, if you’re the sort of person who loves mathematical details. So, for example, whenever someone enters “password123” as a password, the system instead stores “482c811da5d5b4bc6d497ffa98491e38”. As computers are growing more complex, though, databases of hashes are popping up, enabling an attacker who steals the hash to look up the plaintext password.

A really good programmer adds a salt to their hash, a secret number that provides a truly unique piece of data that gets stored in the database. Even if the salted password gets stolen, the chances of an attacker restoring the plaintext is very, very small and not worth the time to compute. 

How People Attack Passwords

There are a few strategies for attacking a password. The first is a nontechnical attack. Either the attacker has gained access to a previously used password and checks to see if you’ve reused your password on other sites (statistics say yes …) or the attacker has done enough homework to be able to guess at things you might use as a password. In either case, using things like names, dates of birth, phone number, or previously reused passwords between sites make it far easier for the attacker. The attacker might even read the Post-it notes around your computer. Please don’t write your passwords on Post-its …

The second is a dictionary attack, where the attacker provides a program with a list of common words and the program tests each one as quickly as possible to see if the victim has used any common words as a password. This succeeds more often than you’d think, based on the most commonly used passwords.  (Be aware that there are obscene passwords on that list! Seriously, who wants to type that every day?) So, common words are out too.

The final (and unavoidable) attack is a brute-force attack. This starts one character at a time and tries a followed by b followed by c, and so on until z, when it starts over with aa, ab, ac and so on to zz. This will eventually turn up the password, but it takes time and a LOT of login attempts. You know how your phone or computer locks you out for a while after five or six failed attempts of entering your password? This is why. We can’t stop brute-force attacks, but we can make them a lot harder.

Length vs. Keyspace

There are two ways to make a password harder to access by brute force: Make it longer or increase the keyspace. 

Making it longer is a pretty obvious solution. It takes longer to type a longer password, but each additional character multiplies the number of possibilities by a factor of 26:

Number of Characters (assuming az keyspace)

Possible Combinations

1

26

2

676

3

17,576

4

456,976

5

11,881,376

6

308,915,776

7

8,031,810,176

8

208,827,064,576

9

5,429,503,678,976

10

141,167,095,653,376

Increasing the keyspace is another strategy, where added to the az letters are capital letters (another 26 possibilities), numbers (another 10), and symbols (another 30 or so). This means that even our single-character password now has 92 possibilities to attack, a huge improvement over 26 in the az option.

Combining these efforts makes for a very secure picture:

Number of Characters (full keyspace)

Possible Combinations

1

96

2

9,216

3

884,736

4

84,934,656

5

8,153,726,976

6

782,757,789,696

7

75,144,747,810,816

8

7,213,895,789,838,336

9

6.925339958244803e+17

10

6.64832635991501e+19

If my math is right, that means that if a 10-character password using the full keyspace is attacked by someone who can try 1,000 passwords every second, then it could take up to 2.1 billion years to crack, by which time we’ll probably all be with Jesus anyway, enjoying the complete absence of passwords. (In practice, it might be far faster, of course, and is likely to be because even brute-force attacks have gotten more strategic.)

Making Complexity Memorable

Okay, so no names or anything else important to you, no common words, use at least one capital letter and at least one number and at least one symbol, make it at least 8–10 characters long, and use a different password for every system.  No problem, right?

Right?

It’s impossible. Humans aren’t actually wired to remember completely abstract information like that, much less so much of it for so many sites. So what are our options?

Use a password manager like LastPass or others to generate and store unique passwords behind a single long keyphrase. This means you only have to remember one piece of abstract data (we’ll talk about that in a moment) rather than one piece per site. These are relatively easy to use, and they offer business plans that can make it affordable for even smaller ministries to ensure their data is safe.

But how do we remember the key phrase (or any other password)? We generate something that is secure, but memorable. Start with picking two to three random words (more for a keyphrase). Consider using a random word generator to make it truly random. For example, I just pulled the words drone, fighting, happy, noise, guild, and debug. From these words, I make a sensible sentence that uses many of them: “The drone fighting guild made happy noise!” Once I’ve got that stuck in my head, I make a password out of it: dronefightingguildhappynoise. To increase my keyspace and make it more memorable, I’m going to add capitals (DroneFightingGuildHappyNoise), a number (Dr0neFightingGuildHappyNoise), and a symbol (Dr0neFightingGuildHappyNoise!). I’ve now got a fairly secure password that I've already memorized and I can never use because you all know it already. 

There are other options (biometrics, etc), but we’ll save those for another day. 

General Principles

  1. Do NOT store passwords in your browser. Many people store them in plaintext, meaning that someone who gains access to your computer can acquire your passwords.

  2. Complex is good, but longer is always better. If you have to choose, pick a long password that you can easily remember. 

  3. Two-factor authentication is your friend. This is where a service requires a code number (delivered by text or a keychain) in addition to the password to log in. Even if an attackers gain your password, they can’t access your accounts.

  4. Don’t reuse passwords. Seriously, just don’t. Break-ins are too common to make it easy on attackers.

  5. Get rid of your Post-its!


For more information on how to protect your church from cyber-criminals, check out our ebook titled "Protecting Your Church against Ransomware."

Download the Ebook

Rev. Bill Johnson

Written by Rev. Bill Johnson

Rev. Bill Johnson serves as the Director of Educational Technology at Concordia Theological Seminary, Fort Wayne. He’s passionate about finding effective ways to share the Gospel with emerging generations and new ways to use technology to form the next generation of servants for the Church. He lives in Fort Wayne, Indiana, with his wife and three teenage daughters. Please pray for him.

Lists by Topic

see all