Passwords have been used to identify ourselves to others for thousands of years and more recently to computers.
It’s a simple concept – shared information kept secret between individuals and used to “prove” identity.
Passwords in an IT context emerged in the 1960s with mainframe computers – large, centrally operated computers with remote “terminals” for user access. They are now used for everything from the PIN we enter at an ATM to logging into our computers and various websites.
But why do we have to “prove”
What makes a good password?
Until relatively recently, a good password might have been a word or phrase with only six to eight characters. But we now have guidelines for minimum lengths. This is due to the “entropy”.
With passwords, entropy is the measure of predictability. The math behind this isn’t complex, but let’s examine this with an even simpler measure: the number of possible passwords, sometimes referred to as the “password space”.
If a single-digit password contains only one lowercase letter, there are only 26 possible passwords (“a” through “z”). By adding capital letters, we increase our password range to 52 potential passwords.
The password area continues to grow as the length increases and other types of characters are added.
If you look at the images above, it’s easy to see why we are encouraged to use long passwords with uppercase and lowercase letters, numbers, and symbols. The more complex the password, the more tries it will take to guess it.
The problem with dependency on password complexity, however, is that computers can repeat tasks – including guessing passwords – very efficiently.
Last year a record was set for a computer trying to generate every possible password. A rate was reached that was faster than 100,000,000,000 guesses per second.
By harnessing this computing power, cyber criminals can hack into systems by bombarding them with as many password combinations as possible. This is known as a brute force attack.
And with cloud-based technology, guessing an eight-digit password can be accomplished in just 12 minutes and costs only $ 34 ($ 25).
Since passwords are almost always used to gain access to sensitive data or critical systems, this motivates cyber criminals to actively seek them out. It also powers a lucrative online market that sells passwords, some of which include email addresses and / or usernames.
How are passwords stored on websites?
Website passwords are usually stored securely using a mathematical algorithm called hashing. A hashed password is not recognizable and cannot be converted back into the password (an irreversible process).
In the same way, when you try to log in, the password you entered is hashed and compared to the version stored on the site. This process is repeated every time you log in.
For example, the password “Pa $$ w0rd” is given the value “02726d40f378e716981c4321d60ba3a325ed6a4c” when calculated using the SHA1 hashing algorithm.
When faced with a file full of hashed passwords, a brute force attack can be used, in which each character combination is tried for a range of password lengths. This has become so common that there are websites that list common passwords in addition to their (calculated) hash value. You can simply search for the hash to reveal the corresponding password.
Theft and sale of password lists has become so widespread that a dedicated website – haveibeenpwned.com – is available to allow users to verify that their accounts are “in the wild”. This now includes more than 10 billion account details.
If your email address is listed on this site, be sure to change the recognized password and change it on any other site where you use the same credentials.
Is more complexity the solution?
You would think that with so many password breaches occurring every day, we would have improved our password selection practices. Unfortunately, the SplashData annual password poll has shown little change in five years over the past year.
As the computing power increases, the solution seems to become more complex. But as humans we are not able (or motivated) to memorize highly complex passwords.
We have also passed the point where we only have two or three systems that require a password. It is common today to access numerous websites, each of which requires a password (often of varying lengths and complexity). According to a recent survey, there are an average of 70 to 80 passwords per person.
The good news is that there are tools out there that can be used to fix these issues. Most computers now support password storage either in the operating system or in the web browser, usually with the option to share saved information across devices.
Examples of this include Apple’s iCloud Keychain and the ability to store passwords in Internet Explorer, Chrome, and Firefox (though less reliable).
Password managers like KeePassXC can help users generate long, complex passwords and store them in a safe place when needed.
While this location still needs to be protected (usually with a long “master password”), a password manager can provide you with a unique, complex password for every website you visit.
This does not prevent a password from being stolen from a vulnerable website. However, if it gets stolen, you no longer have to worry about changing the same password on all other websites.