Long live Passwords
Bill Gates predicted the death of passwords in 2004 because it cannot meet the challenge of keeping critical information secure. Sixteen years later, instead, the total universe of passwords is expected to balloon to 300 billion in 2020!. Chances are, you are using a few passwords based accounts today.
Passwords have been with us since the dawn of computers. Passwords are easy to use, straightforward to deploy and most common form user authentication on web today.
The use of passwords is common and widespread in our lives. E.g. I must enter my Netflix username/password to enjoy my favorite shows, enter my 6 digit passcode to unlock my mobile, and enter my passcode on restaurant POS to buy a pizza.
Has your password been compromised?
While passwords are widely used, these are also regularly leaked. In 2019, a total of 7,098 reported breaches exposed 15.1 billion records. My email password was one of those breached, and your password was probably leaked too. But don’t worry, you can use this website to confirm if your password has been hacked in a data breach.
How passwords work?
Anytime, a user say Sara opens a new account, her new password is stored in a file/database on server. Next time when Sara logins with her credentials, the input password will be compared with stored password. If passwords match, then Sara can login e.g. to Amazon website to buy products and if not she will denied access.
Options to store your password
There are various ways a website can store your password. A straight forward and least secure approach is store password in clear text. On a data-breach, the user passwords will be leaked. An alternative for servers is to store encrypted passwords. Encryption is a two-way function and anyone with the key can decrypt the password. On data-breach, its likely that hacker will also get hold of key to decrypt and steal the user password.
So, a better option for website is to store hashed passwords. Hash is a a cryptographic function that maps data (or passcode) of arbitrary length into a fixed byte message called hash. Hash is a one way function which means it’s computationally infeasible to infer the password from the hash.
Still hashed passcode are prone to data breach and theft. Hackers stole ~167 million users passwords from 2012 LinkedIn breach and were selling it for 5 Bitcoins (~2 grand USD) in 2016. LinkedIn was using SHA-1 hash function to store passwords.
Hackers cracked the LinkedIn hashed passwords by running a dictionary / rainbow attack. A hacker can run a list of popular passwords through the known hash function and build a dictionary.
Salting Hash
To reduce the risk of dictionary / rainbow attacks, we salt the password. A salt is fixed length random value that is appended to password and then input to the hash function.
The decreasing cost of hardware has made it possible to hack even after adding a salt function. However, the use of salt prevent the hackers from using shortcuts and forces the attacker to use brute force to hack one hash at a time.
Is your password strong enough?
If your account was breached, then you need to immediately change your password. Make sure to set a strong password. You can take the password strength test here.
