Is my password safe?


The title highlights a question that we have all asked ourselves at one point in time. It is a relatively old but still relevant question, especially after recent scandals like that of Ashley Madison. Questions like “Is my password long enough?”, “Isn’t my password too easy to guess?” and remarks like “Damn, I forgot my password again” probably also sound familiar. Lengthy passwords often seem like a safe option as shown by Intel in the attached .gif.paswword_strength

Intel however accounts for a brute force attack on your password. A brute force attack involves computers trying every possible combination of letters and symbols until they get your password right. In their infographic, Intel doesn’t account for the fact that passwords are rarely cracked by brute force. According to Dr. Angela Sasse, UCL’s head of information security research, passwords are usually obtained by phishing and malware which renders both the length and complexity of your password obsolete.

There is however more to password security than just the user side, oftentimes the server side is forgotten. Say a user manages to create an “uncrackable” password that includes a combination of capital letters, lowercase letters, numbers and special characters. This password is then stored on the servers of the website or service involved. There are to this day websites that store your password in plain text. If the servers of abovementioned website or service were to be hacked, your password could be exposed to the internet and thus essentially the entire literate part of the world. No need for fear yet, your password is usually encrypted and then stored in a database. Problem solved right? Not exactly. In the recent Ashley Madison hack, gigabytes of data, including passwords were stolen. The passwords were well encrypted and it was estimated that decrypting them would take approximately 11 years (BBC.com, 2015). Nevertheless, earlier this month, an amateur password cracking group called Cynosure Prime found a flaw in the way that Ashley Madison encrypted the passwords before storing them. This enabled Cynosure Prime to crack roughly 11.2 of the 15 million susceptible passwords in just 11 days.

By now you might be wondering “well, so how DO I keep my password safe?”. One way to go is password managing software that stores all of your passwords in a safe place. Again there is one drawback to this service …  your password vault it is often password protected. There are some innovative password managers (like passwordchef) on the rise, but currently it is not your best bet. A better alternative is to use biometrics for login. Thanks to Apple, millions of people are already familiar with the convenience of fingerprint login. However, biometrics have a rather significant drawback, namely you cannot change them. Since you cannot swap your fingerprint if someone manages to get ahold of it, this method of logging in should at least be complemented by a password, which in turn diminishes the convenience.  A more secure alternative is the so called two-factor authentication. This involves both entering a user chosen password as well as a code, usually received by SMS, that is useable only once and for a limited amount of time.

As for the server side of the story, they can improve the security of your password as follows: Websites should prefer HTTPS over HTTP, they should ensure that passwords are encrypted and more importantly that the encryption method used is secure as well.

All things considered, fact remains that the safety of your password is only partly in your own hands. You can however take measures that your side is as safe as possible. Never write your password down, never tell your password to anyone etcetera. For more (obvious) information on passwords I suggest you read this report.

Knowing a bit more about the client & server side now, what are some useful experiences you can share with the rest of the world?

Sources & useful links:

Advertisements

4 responses to “Is my password safe?”

  1. svensabel says :

    The safety of passwords is certainly a very interesting topic that I believe will stay relevant for many years. What I find most interesting is the increasing use of smartphones, but the lack of password protection on these devices.

    Most smartphones are only protected by simple 4-digit codes. After cracking this code, intruders have access to very personal information through apps, like your e-mail, pictures and contacts. A video on youtube* show cracking a 4-digit Iphone code with the use of bruteforcing software in 6 seconds to 17hours only! (Intego, 2015)

    Like you mentioned, a good alternative nowadays is the use of fingerprint (which also has the huge drawback of being unable to change). Anyways, most smartphones will not even have this option in the near future.

    The funny thing is that in 2014, 34% of the Americans didn’t even set a screen lock password and another 36% used a 4-digit code. This resulted in many hacked accounts when smartphones got stolen. (CNBC, 2014)

    The best solution for protecting a smartphone device nowadays is definitely not the 4 digit code. Different screen lock methods like patterns or passwords are probably one of the best ways to work with at the moment. (Android central, 2014)

    *https://www.youtube.com/watch?v=meEyYFlSahk

    http://www.intego.com/mac-security-blog/iphone-pin-pass-code/
    http://www.cnbc.com/2014/04/26/most-americans-dont-secure-their-smartphones.html
    http://www.androidcentral.com/10-best-ways-secure-your-smartphone

  2. 375587af says :

    I believe that this discussion goes much further than just personal passwords. Security measures are becoming increasingly important for all companies now, especially since hacking is on the rise.

    As stated above, just having a long and complex password is not really protecting you from the worst, since it is very rare that a hacker will target you specifically and attempt to brute force your password. Most times crucial information is stolen is when servers are hacked. The recent Ashley Madison scandal is the perfect example of this (along with other recent ones such as the Sony Pictures Entertainment hack of 2014). In addition, with quantum computers peeking over the horizon, even brute forcing passwords might become incredibly easy in the future.

    Security should focus a lot more on the server side. Some methods to protect a server are:

  3. 375587af says :

    I believe that this discussion goes much further than just personal passwords. Security measures are becoming increasingly important for all companies now, especially since hacking is on the rise.

    As stated above, just having a long and complex password is not really protecting you from the worst, since it is very rare that a hacker will target you specifically and attempt to brute force your password. Most times crucial information is stolen is when servers are hacked. The recent Ashley Madison scandal is the perfect example of this (along with other recent ones such as the Sony Pictures Entertainment hack of 2014). In addition, with quantum computers peeking over the horizon, even brute forcing passwords might become incredibly easy in the future.

    Security should focus a lot more on the server side. Some methods to protect a server are:

    – SSH authentification which stores a public key on the server but allows access only if the user has the private key that links to the public one
    – Firewalls which block connections that want access to any private ports (such as ports that connect to the internal database)
    – Isolated execution environments. This means that companies will store information on separate servers depending on how sensitive the information is. This allows the company to easily zero in on any security issues that might arise.

    Security analyst and chief information security officer at Bit4ld Pierluigi Paganini predicts that cyber attacks against companies are likely to increase in 2015. In addition, one of his predictions is that products taking advantage of the Internet of Things are increasingly likely to get hacked as they often contain private information (for example, many such items have Facebook login capabilites). This is extremely important to companies as a serious hack leads to decrease in trust which leads to stock value falling (as can be seen in the Sony hack of 2014, when their stock dipped 10%).

  4. gabriellapimpao says :

    Although two-level authentication is (one of) the safest way to authenticate users but when creating an application or any mind of platform there is also another part to keep in mind from the developers perspective and this is user friendliness. And with this by no mean I want to say that user friendliness should come before security not at all but if a platform that I just want to check out makes me go through the hassle of two-level authentication or demands me to create a hyper-complicated password (and then asks me to change it every 30 days on top off all), there is a good chance that I won’t sign up and the platform’s conversion rate will be quite bad.
    So apart from users creating better passwords (the most used password apparently are still: 12345, password and qwerty) I agree that companies should also take security more seriously.
    In a recent post TechCrunch calls for the “killing” of the password because as they write it is outdated: “We are no longer signing onto a single mainframe. We have multiple applications in use across various platforms. That means we are forced to remember far too many passwords. This causes people to use silly ones like 1234 or the same password across multiple sites, not even attempting to be secure.” The article argues that this burden should be taken off the user.
    If you are interested in the topic read the rest of the article here: http://techcrunch.com/2015/09/07/kill-the-password/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: