Passwords 101
Everything you should know about passwords
This blog post will cover absolutely everything important to know about passwords and is organized to introduce passwords at a basic level and slowly transition to more advanced topics.
What Are Passwords
A password is a string of characters that you use to verify your identity or authenticate access to a digital system. They are most commonly used to log in to online accounts in combination with a username or email, but they can also be implemented for other applications such as Wi-Fi, encryption, and device logins.
We all know that keeping your accounts secure is important. In the event of one of your accounts becoming compromised, you could be the victim of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
Password Strength
Most websites force you to meet certain minimum requirements such as having a minimum length of 8 characters, an uppercase letter, a lowercase letter, a number, and a special character.
When picking a password to use that matches these requirements, it is important to use a password that is difficult for someone to guess, but easy for you to remember.
A common technique used by hackers to guess your password is to brute force your password; that is, guessing every combination of characters until it finds your password. Computers have become incredibly powerful and can go through each of these combinations with little difficulty. However, having a complex password can increase the required computation time from just a couple of seconds to billions of years.
If you would like to test how much time it would take for someone to brute force your password, check out this website to locally check your password strength: https://howsecureismypassword.net/
Secure Passwords Storage
If you are interested in learning about how passwords are securely stored in a database, I encourage you to read my blog post on Hashing which goes into great detail on this topic.
Password Managers
Not only is it important to be using difficult to guess passwords, but you should also not be reusing the same password across multiple accounts for the sake of “rememberability.” Having to remember potentially hundreds of strong, unique passwords for all your accounts and services is simply not practical without the use of external aid. While that could include jotting all your login details on a Post-It or saving them to your favorite “note taking” app, these are both insecure and inconvenient.
The best option is to use a password manager. A password manager can help to take your mind off remembering a long list of passwords or eliminate the hassle of trying to find your password in OneNote.
Depending on which one you choose, you can get many bells and whistles to help you, but the most basic requirements should be that it has:
1. Password generator
2. Password autofill
3. Ability to sync passwords to all devices (optional based on your viewpoint on cloud storage privacy)
There are many options when it comes to choosing a password manager and going through the pros and cons of each of them could be its own article. However, here are a few popular options that are worth considering:
1. Bitwarden
2. Dashlane
3. KeePass (More Advanced)
4. LastPass
4. Your device/browser’s built-in password manager (iCloud Keychain, Edge passwords, Google password)
Password Alternatives
Multifactor Authentication (MFA)
Multifactor Authentication is a system through which you are only given access to a system only after having presented all the required pieces of authentication. Many services, from banking to social media apps, offer MFA as an option to provide extra protection for your accounts beyond a strong password.
There are four main means of authentication (factors) that a system can utilize:
- Something you know (Password or PIN code)
- Something you have (Security Key or Authentication App)
- Something you are (Thumbprint or Retinal scan)
- Somewhere you are (GPS or IP Location)
Generally, MFA systems utilize at least two of the aforementioned factors, commonly known as Two Factor Authentication (2FA), but you may have also come across high-security systems which require three or even all four factors before successfully authenticating.
Using a MFA system can be useful if you want to ensure that, even if one of the given factors is compromised, an attacker will be unable to access any of the secured data. Though MFA does not guarantee that only the authorized user is indeed accessing the service, it does help slow down or reduce the likelihood of an outside attack. This is also the reason that many services will require you to set up at least 2FA on your accounts.
However, Multifactor Authentication should not be confused with passwordless authentication; while your device might have a biometric scanner such as a fingerprint reader or Face-ID, unless you configure it to authenticate with two or more factors you are still only providing just a single factor for authentication.
One Time Passwords (OTP)
A One Time Password is a randomly generated password that is sent to a previously authenticated device. This password will only be valid for one use and will often expire after a couple of minutes.
Single Sign-On (SSO)
Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. With SSO, users can conveniently access applications without being required to authenticate using a new set of credentials. This is also commonly used with businesses to simplify access to various software products.
Oauth
Oauth is an authentication standard that provides limited and secure access for an application to access sources or take action on the user’s behalf, without requiring users to share sign-in information. While this might sound a little confusing, it is just the process through which a third-party app can use an access token to retrieve limited information from an account based on the authorization provided by the user. For more information you can read more about the standard set by the Oauth organization.
Password Shortcomings
Phishing
Phishing is a tactic that preys on unsuspecting users to trick them into typing their sensitive information on an illegitimate website disguised to look legitimate. Phishing messages are often sent through carefully crafted emails, and increasingly target businesses to gain access to corporate infrastructure.
As such, spreading awareness of these attacks is important to make people think twice before clicking on a link (even if it appears to be from a legitimate site) as any information you enter will go directly to the attacker. If you have any doubts, access the website manually by typing what you know to be the site’s URL into your web browser.
Keyloggers
A keylogger is a malicious program that is designed to monitor and record any keystrokes made by a user. It can be used by attackers to spy on the user and gain access to all kinds of sensitive information including social security numbers, passwords, or even credit card numbers. You can kind of think of it like someone looking over your shoulder as you use your computer with a full view of everything you are doing. These types of programs can be hard to identify if you are not looking for them, but most up-to-date anti-malware software should be able to detect them.
Social Engineering
Social engineering is a technique used to manipulate someone into sharing confidential information without actually breaking in or hacking a system. Similar to phishing, it preys on human nature and trust to get access to whatever information they are targeting.
You might remember the prominent Twitter hack, where a small group of teenagers successfully tricked employees to provide access to Twitter’s user management tools. By using social engineering, they were able to “mislead certain employees and exploit human vulnerabilities to gain access to [Twitter’s] internal systems.”
Password Stuffing and Leaked Passwords
A leaked password is simply a password that fell into the hands of a bad actor and now exists out on the internet on large lists of username and password combinations. Hundreds of millions of usernames and passwords are leaked every year when websites or apps become the target of data leaks. Leaked usernames and passwords often end up for sale on online forums or black markets.
Attackers can then use a technique called password stuffing or credential stuffing to determine if any of the leaked credentials are valid. Using an automated script to send hundreds of requests per second, they test for valid logins in hopes that someone reused a leaked password across multiple websites. Such an attack can be mitigated through the use of MFA (as described above).
In late 2019, within days of the launch of Disney+, the popular streaming service, customers began complaining that they were being locked out of their accounts or other such disruptions. It was soon revealed that, while Disney themselves had not sustained a data breach of any kind, thousands of accounts had been compromised through a password stuffing attack. This shows just how important it is to avoid reusing the same password across multiple logins.
Unfortunately, in the end, the human is the weakest link, and nothing is secure against the XKCD approach to password cracking:
Thanks for reading, I hope you learned something new about passwords! If you think I missed an important aspect of passwords or any other thoughts, please share in the comments. Regardless, make sure you check out some of the other posts on my medium profile.
