Password protected

An average internet user has 25 accounts online, but uses less than 7 passwords to protect them, according to Microsoft research(pdf).

And at least one of those accounts has probably suffered a security breach at some point. According to Matt Weir, whose PhD involved researching the availability of stolen login details:

You can look online and you can generally find passwords for just about everyone at some point. I’ve found my own username and passwords on several different sites. If you think every single website you have an account on is secure and has never been hacked, you’re a much more optimistic person than I am.

Sites generally don’t store your password itself, but its hash. A hash is the output after a [known] procedure has been performed on your password. If your password is 4, and the procedure is ‘add 2’, then the hash stored with your login name is 6. When you login what is being compared is not whether your password is 4, but whether the thing you typed in the password field, with 2 added, is 6.

So if a site is hacked then normally it is the 6 that has been discovered. It might seem trivial to deduce the password (simply subtract 2) but in practice the procedure performed involves many steps and is actually very difficult to do backwards (e.g., ‘subtract as many 3s as possible and use the remainder in the next step. Putting a 7 in would give 1 out – but so would 4, 10, 13, 83467, etc… If you’re doing the steps in reverse and have a 1, where do you go next?).

Hackers therefore don’t work backwards (through the e.g., 80 steps of SHA-1), but instead try running lots of potential passwords through the procedure and seeing if what comes out is the hash. And they can do this quickly. LinkedIn.com had 6.5m password hashes stolen and posted online earlier this year:

It took independent security researcher Jeremi Gosney 6 days to convert 90% of the hashes exposed in the LinkedIn breach. He cracked a fifth of the 6.5m passwords in the first 30 seconds.

You need to avoid using anyone else’s password that’s ever been hacked – the remaining 10% of difficult hashes would be ones that have not been used before, and which are too long and unusual to mount dictionary or brute force attacks against. Dictionary attacks (where the hacker tries every word in the dictionary to see if one produces the same hash as your password) have been greatly aided by the publication of hundreds of millions of stolen and solved passwords from scores of sites over the years.

‘pa55word’ isn’t in the Oxford English dictionary but you can bet it’s in the 500m-word corpus the hacker’s trying at 15.5 billion guesses per second against the 6.5m hashes he just got because someone somewhere has had that password-hash pair stolen in the last 20 years.

Using the same password on more than one site, combined with having e-mail addresses as user names, means that once hackers have stolen login credentials from one company, they often have the means to compromise other accounts – so ideally you need to use a different password for every site.

How do you make yourself unique, difficult passwords to crack?

Memorise a minimum 15-character sequence, either several words joined together or using a mnemonic, which should be particular to you and have a fair chance of never having been used before (don’t do this with popular song titles – people have being doing that and having them compromised for a while). One such sequence might be:

nawtfpTwOtmI:1969

which comes from ‘Neil Armstrong was the first person to walk on the moon in: 1969’ and in which I’ve capitalised the prepositions, and used a symbol and numbers too. What a good boy.

Then insert an extra letter into e.g., the 10th position depending on the website the password is for. So for Facebook you use:

nawtfpTwOFtmI:1969

Whereas for Hotmail it is:

nawtfpTwOHtmI:1969

That said, we already know how/why we should protect ourselves online, we just never get round to it due to hyperbolic discounting; Most people will never be hacked in a damaging way, but there’s a real cost now in setting up stronger passwords which will only pay dividends in some far-off hypothetical future. If you only make one password unique and stronger, make it the one for your email account (like the one for this guy where all his password resets and reminders for all his other accounts got sent to).
XKCD argues for the several words joined together route: