Move over Drake, this October we’re celebrating Cybersecurity. In the spirit of cybersecurity awareness month, let’s get real nerdy about how passwords are protected, what happens in a data breach involving passwords, what companies are doing to protect your passwords, and what you need to do in order to protect yourself.
When the digital age was still at its infancy, programmers and engineers were solely focused on identifying the potential of this new computing power and developing new use cases for how computers could be used. Early databases, applications, TCP/IP, and WiFi were all proof of concepts and focus was targeted towards increasing the capability and viability of the tools; security was an afterthought. Passwords were stored in plaintext, there were weak authentication methods used, and in some instances, you only needed a username to login. Overtime, as criminals began leveraging the new technologies to wreak havoc, the industry pivoted and more importance was given to securing the platforms that they had developed. Authentication methods became more secure, passwords were protected; security was becoming a forethought.
Plaintext password storing should by now have been sunsetted and the industry should have evolved to hash passwords before they are stored. However, plaintext password breaches are still occurring. In January 2021, a new breach was identified for Daily Quiz in which 8.3 million plaintext passwords were exposed and sold. But it’s not just random one-off companies that are victim to this poor practice, Robinhood, Google, and Instagram all admitted to storing plaintext passwords as late as 2019.
There are multiple issues with storing plaintext passwords, the biggest of which is that 65% of people reuse their passwords across all sites. This makes them vulnerable to a password reuse attack whereby a criminal buys your username and password for about $20, and proceeds to use it on other websites and potentially your email, to lock you out of your source for password resets. You can check if you’ve been a victim of a plaintext password via sites like Have I been Pwned or Mozilla’s Firefox Monitor. If you find that your password was breached and you think you’ve reused it elsewhere, I strongly recommend you change them as soon as possible.
Hashing a password should be the bare minimum of modern password storage techniques for companies. As you create an account on a new site, you enter your password and hit create, the algorithm will hash the password you entered and store the output in the database. It is no longer plain text, and anyone that obtains access to it, will never see your password, but rather the output of the hash. When you attempt to log back into that site and enter your password, the algorithm performs the same hash function and checks to see if the output of what you entered as your password matches the hash output of what is stored in the database for your account.
That was the industry standard for a decade or so, but criminals quickly caught up and began developing rainbow tables; some of which are publicly available. These tables are essentially databases of all potential passwords from 1-10 characters (or potentially more), and the corresponding hash of that password. After criminals obtain a database of hashed passwords, they can, in essence, perform intensive vlookups to identify each person’s password.
With the rise of rainbow tables, the cybersecurity industry again pivoted, and began introducing salt to the world. Similar to the nonce we learned about in class for blockchain, salt is a set of characters that are added to the end of the password before it is hashed. The salt is stored in the same database, next to the username and hashed password. When a user enters their password for an account creation, the algorithm creates a unique random 14 character salt for each account, appends it to the end of the password the user created, and runs it through the hashing algorithm. The output of the password + salt is stored in the database, along with the salt itself. The next time the user logs in, the system takes their entered password, appends the salt, runs it through the hashing algorithm, and tries to match the output hash to the one stored in the database, if it matches, they’re allowed entry. This negates the feasibility of rainbow tables, because the password is essentially 10 (password) +14 (salt) = 24 character password which there are no known rainbow tables for.
Finally, as an extra step, and the current gold standard of password storage techniques involves adding some pepper to that hash. Pepper is similar to salt in that its extra characters that are appended to the password before it is hashed. It differs from salt in that it is stored on a separate database and is the same for all accounts. The idea is that pepper is meant to be safe guarded and never exposed in the event of a password breach. Without that pepper, there is no feasible way that a rainbow table could ever be created for that database to backtrack and identify passwords.
Now that I’ve properly confused you on all things password related, let’s try and decipher what the takeaways from this are; I apologize if appear trite, but I think they are still valid and important. First and foremost, the easiest way to protect yourself from a breach of a hashed password database is to make sure your password is at least 14 characters long; this negates the use of most rainbow tables, since they have only been generated for 1-10 characters, and would protect you in case there are criminals with larger publicly unknown rainbow tables.
Secondly, do your best to not reuse passwords. As we learned, your username/email and password combo can be sold for around $20, and from there, criminals attempt to reuse those same credentials on other sites. This is definitely easier said than done, but at a minimum, prioritize a unique password for your email address. Your primary email is your lifeline to the rest of your digital profile, a one stop shop for password resets and the ability to re-claim any other account.
Third, enable multi factor authentication on any website that allows you to. If a criminal obtains your password and attempts to login, they wouldn’t get anywhere as they would also need access to your phone, cell phone number, or email address (that you’ve hopefully used a unique password for).
Fourth, instead of using one of the top 200 passwords, a family member’s name, your pet’s name, street or city, try utilizing an easy to remember and longer passphrase. As we learned from point one, the longer a password, the harder it would be for a criminal to crack via rainbow tables or try to guess it using brute force attacks due to the fact that each extra character results in an exponentially more difficult guess. As a result, ‘Ilovereadinginthepark’ is a better password than ‘B0$t0n617’ due to the length; you can test it yourself here.
Finally, for the tip that recently is making its way around everywhere, utilize a password manager; my personal favorite is Bitwarden. It sits on your desktop browser and your phone, syncs across all devices simultaneously, generates unique passwords, and track unique passwords across all sites so in the case of a breach, you only need to change that one password with no fear of password reuse attack. I understand the fear of placing all your passwords in one database, ‘wouldn’t that just make the password manager a target for all criminals?’ It would, but the encryption around the password management process is the most robust of any technological company. Passwords are salted and hashed 100,001 times, locally on your side. That outgoing hash is sent to Bitwarden for authentication, then salt/pepper is added and hashed another 100,000 times before the match is attempted. The security behind the platform is so over-the-top, it would make more sense for the attackers to just attempt to guess your password, instead of trying rainbow tables, which are rendered useless. You would just need to set up a secure master password (16-20 characters or more), and something as simple as ‘noonewilleverguessthispassword’ is easy to type, remember, and impossible to bruteforce (it would take 2 septillion years to crack).
Password Management is a big problem for companies; 81% of hacking related breaches are due to compromised passwords as 73% of people reuse their personal passwords in their work setting. To reduce the amount of passwords, companies are leveraging Lightweight Directory Access Protocol (LDAP) and Single Sign On (SSO) to alleviate the burden of remembering multiple passwords at work. Instead, employees utilize one password to login and seamlessly authenticate to all other applications they use on a daily basis.
It’s no secret that passwords aren’t exciting, the sad reality is, the most cumbersome IT hygiene activities are also the most important (backing up your systems and data, maintaining good password practices, updating systems with latest security patches, etc.). We’ll never be perfect in our pursuit of security, but with a small amount of effort, we can make leaps and bounds of progress.
Various sources as hyperlinked in the article, including: