Password security through obscurity
Lot of buzz has been around computer security lately. Steam just announced that their forums had been hacked and now in Finland, AnonFinland has released snippets of email addresses, social security numbers and passwords they claim to be legit. The story might go on if they happen to release combination of these lists. I just happened myself to start a better password policy couple of months ago, so I decided to write little about how different services store passwords and how you can get little more security by using simple and free tools. Skip the technical part, if it is not your thing.
About passwords and encryption (technical part)
Traditional way of storing password was plain-text, so anybody who got unauthorized access to the database had all the passwords in their plain sight. Basically it would need zero effort for the attacker to utilize the passwords. This is considered a very bad practise now days as all systems should store all sensitive information in encrypted form.
The next best thing are hashed or one-way-encrypted passwords. Hash is a string of characters, that is formed from your original password through an encryption algorithm. Only this hashed string is used, so the original clear text password is never saved to the database. After you input the password, hash is calculated on the fly and a match is made to the database. If the hashes match, you are granted access. This encryption works in a way that the encrypted password cannot be reversed back to the original password. For example, the MD5 hash of the password “password123” is “482c811da5d5b4bc6d497ffa98491e38”. MD5 is name of one encryption method, SHA being one another.
This method is not secure because now days we have a lot of computational power in our reach. WIth a typical home PC, one can try millions of different passwords per second. So let’s assume you got the database though a security hole, you could try all different passwords, calculate a hash and check them against the database until you find a match. This is called brute-forcing, since it is not a very advanced method. To make brute-forcing even easier, people have created ready-made list of hashes for a large set of different passwords. These are called the “rainbow tables“.
Also the encryption methods themselves have flaws in them. For example MD5 has been proved to have a flaw called “hash collision“, where two different strings would produce an identical hash. This means, if the users password was a certain string, you could as well use the one that creates an identical hash.
One method to get around these flaws is for services to add extra string to your password, one that only the authenticator knows. This is called a “salt”. For example you might add a salt “z9G=p/\jum_Z;mg-y9cPqhfN-” to the user input. So the hash would be created then from the string “password+salt”. If this salt is kept secret and secure, it nullifies most of the brute-force and rainbow table methods mentioned before.
- Use different password in different services
- Choose a complex password (long password with special characters or password phrases that are easy to memorize)
- Use two-factor authentication when possible
- Change your passwords periodically
I cannot emphasize the first point enough. My Steam account might now have been compromised and they have my credit card information. But because I use different password in different services, at least the crackers cannot get access to any other services with the same password. So my damages are limited.
I can hear a lot people saying that it is just not possible to remember complex password. That is the main reason to reuse the same passwords over different services. One option would be to create easy to remember pass phrases instead of short passwords, which are more secure just with their length. I preferred to store all my passwords in a centralized password management software. It stores all my passwords in an encrypted form and it is unlocked by one “master password”. This master password has to be really secure, so I use a password phrase with combination of special characters. Please note that of course if someone cracked the master password, it would mean access to all the login information I have stored there. You can add two-factor authentication also here, meaning that you could create a separate key file stored only in your memory stick. It would mean that the cracker would need physical access to this file with your username and password. I use KeepassX, but there are lot of different options.
Services that are potential targets for people after personal information, like Facebook and Google (Gmail) offer two-tier authentication. It means that addition to the username and password there is an additional method to prove your identity. This is usually a one time or generated password list (Google) or a text-message authentication (Facebook). This means that if somebody had my Facebook password, they would still need to get access to my mobile phone somehow. Makes the difficulty factor to get access to my account exponentially. I really suggest you to enable the two-factor authentication in Google and Facebook, because it is really is not a nuisance. In both services, you only have to do it when they detect that you are logging in from a new or otherwise unknown computer. You can find the instructions from the Related articles below.
These steps will not make you 100% safe, but I am pretty sure you at least made somebody’s cracking attempts a ten fold harder.
- What is Login Approvals? (facebook.com)
- Getting started with 2-step verification (google.com)
- How to create and remember strong passwords (f-secure.com)