Is my password safe?
The title highlights a question that we have all asked ourselves at one point in time. It is a relatively old but still relevant question, especially after recent scandals like that of Ashley Madison. Questions like “Is my password long enough?”, “Isn’t my password too easy to guess?” and remarks like “Damn, I forgot my password again” probably also sound familiar. Lengthy passwords often seem like a safe option as shown by Intel in the attached .gif.
Intel however accounts for a brute force attack on your password. A brute force attack involves computers trying every possible combination of letters and symbols until they get your password right. In their infographic, Intel doesn’t account for the fact that passwords are rarely cracked by brute force. According to Dr. Angela Sasse, UCL’s head of information security research, passwords are usually obtained by phishing and malware which renders both the length and complexity of your password obsolete.
There is however more to password security than just the user side, oftentimes the server side is forgotten. Say a user manages to create an “uncrackable” password that includes a combination of capital letters, lowercase letters, numbers and special characters. This password is then stored on the servers of the website or service involved. There are to this day websites that store your password in plain text. If the servers of abovementioned website or service were to be hacked, your password could be exposed to the internet and thus essentially the entire literate part of the world. No need for fear yet, your password is usually encrypted and then stored in a database. Problem solved right? Not exactly. In the recent Ashley Madison hack, gigabytes of data, including passwords were stolen. The passwords were well encrypted and it was estimated that decrypting them would take approximately 11 years (BBC.com, 2015). Nevertheless, earlier this month, an amateur password cracking group called Cynosure Prime found a flaw in the way that Ashley Madison encrypted the passwords before storing them. This enabled Cynosure Prime to crack roughly 11.2 of the 15 million susceptible passwords in just 11 days.
By now you might be wondering “well, so how DO I keep my password safe?”. One way to go is password managing software that stores all of your passwords in a safe place. Again there is one drawback to this service … your password vault it is often password protected. There are some innovative password managers (like passwordchef) on the rise, but currently it is not your best bet. A better alternative is to use biometrics for login. Thanks to Apple, millions of people are already familiar with the convenience of fingerprint login. However, biometrics have a rather significant drawback, namely you cannot change them. Since you cannot swap your fingerprint if someone manages to get ahold of it, this method of logging in should at least be complemented by a password, which in turn diminishes the convenience. A more secure alternative is the so called two-factor authentication. This involves both entering a user chosen password as well as a code, usually received by SMS, that is useable only once and for a limited amount of time.
As for the server side of the story, they can improve the security of your password as follows: Websites should prefer HTTPS over HTTP, they should ensure that passwords are encrypted and more importantly that the encryption method used is secure as well.
All things considered, fact remains that the safety of your password is only partly in your own hands. You can however take measures that your side is as safe as possible. Never write your password down, never tell your password to anyone etcetera. For more (obvious) information on passwords I suggest you read this report.
Knowing a bit more about the client & server side now, what are some useful experiences you can share with the rest of the world?
Sources & useful links: