[informational] Password Security.

[RobbieThe1st]

With the recent hacks of Gawker Media and the subsequent release of just about everything, including all usernames, emails and passwords, it has come to light just how -many- users use a poor password.
As shown in the third link, over three thousand users had "123456" as their passwords!
Theoretically, all these passwords were "encrypted", but a simple password is easy to crack, no matter -what- you do to it.

Now, let me quickly explain how websites store your password.
Most sites, including this one, use a method known as "hashing".
A hashing function is a bit of code that takes a string of characters of -any- length, does some fancy math to it, and puts out a relatively short(in the case of MD5, 32 hexadecimal characters) string. This string is -always- the same length, and the same input will -always- give the same output. Now, the important part of this is that there is -no way- to "reverse" the process, and get the original string or password back out.

What this does is give us a way to authenticate someone -without- storing the password.
Lets say your password is "thisismypass". When you register for an account with that password, the hash of that is stored in the site's database(In this case, the md5 hash is "79b202fb0e7236fdc804af5c22c2de59").

When you attempt to login with your password, the site takes that input, uses the same hashing method on it, and then compares the resulting value with what's stored in the database.
Here's a couple of examples:
1.You type "thisisMYpass": The md5 hash of this is "adca84828518cd2ff2a5f58591eb46ff". Is it the same? NO. You've typed a wrong password.
2. You type "thisismypass": The md5 hash is "79b202fb0e7236fdc804af5c22c2de59", which is the same as that above, and you are accepted.


Now, we've shown that we aren't keeping the password in the database. But, anyone with access to the database can get the hashes - I, for example, can get -anyone's- pass hash in a matter of seconds.
But what can I do with that hash?
If it's simple enough, I can simply run it through a cracking tool which simply -brute-forces- the password - it just generates sequential password after password, feeds it into the chosen hash function, and compares the result to the password hash we've gotten from the database.
The problem is a matter of scale: Lets say I have a 5-character numeric password. That's a maximum possible 10^5, or 100,000 combinations. My current dual-core 2.6ghz Athalon backup PC can test 5,546,000 keys per second. That password wouldn't even last one second!
Lets say we've got a 5-letter password with uppercase, lowercase -and- numbers. That means we have 62 possible values per character(26 for each upper and lower, 10 for number), so the password could be 62^5 possible combinations. That's 916,132,832 combinations, or 165 seconds(<3 minutes) to crack(maximum).

Now, lets talk about a strong password. Lets say we have something that's ten characters long, and we've got Upper, Lower, Numbers, and symbols(!@#$%^&*(),.:;'"-_[]{}+=). That's 86^10, or 22,130,157,888,803,070,000 combinations. It could take 3,990,291,721,746 seconds to crack, or 126.5 thousand years to crack!
As you can see, the difference between a weak password and a strong password is -significant-; while a weak one could easily take less than a day, a strong one would take too long to worry about.


That's the theory, at least. In practice, it may take less time, and also if there are -problems- with the hash(like md5 has), it can take significantly shorter time, even for a long password.

The best thing to do is to:
1. Use a unique password for each site.
You may want to keep some of the less important sites in your browser's password cache for ease of use, but remember that that isn't all that secure.
2. Use a password-management application. I recommend KeePassX, as it's available for all systems - including the N900. You will need a -very- secure password for that, and that is what you need to memorize.
3. Keep your computer secure; all the precautions in the world won't matter if your password can be read as you type it.
If you don't have a bunch of security software already(or are running Linux), I'm not sure I can help you.


Comments, CC guys? Anything else I should add?

[aj]

Only thing I can think of is as far as possible, use unique email address when registering on sites.

That way automated cracking probably won't work on your email account (unless the attacker processes the list, though bonus points if you have your own domain) - Logging into gmail with username+twokinds will throw an error no matter what password you use, from what I understand.

And as a bonus, if you use Gmail and set up filters just right, you can see who's spamming you and who isn't.
===
I like the concept of password management applications, but I'm afraid of it crashing and taking everything with it. Unfounded, since I backup and haven't had a data-loss crashing crash in over 5 years (touch wood), but it something I don't really like. Especially if I'm often using other PCs, I don't want to sit down and have to download stuff to get started. Convenience over security, but for low value stuff I don't mind. High value stuff like banking I use unique passwords because a) there's not that many to remember, and b) Hello? *Money*? Particularly, *my* money.

[NightSky]

thanks for the good advice, because i know how to crack those code's, and i know how to defend myself against it, a large pass with 10+ numbers/lower\upper-letters/symbols/alt-gr symbols is almost impossible to crack. hopefully some of those poor passwords disappear, and less hackers who want to waste time doing it.

[The Grim Reader]

Well great, now I am going to have to change my password to just about everything, since I use the same one for just about everything. It's not like I have anything important in there at all, mind you. Just now I don't feel safe anymore. Great. Thanks for the tips though.

[tyber13]

Im not surprised at all >_>

Ive stolen accounts from people without knowledge of hacking. I just have to guess the most common passwords.

"12345" Wrong password
"password" logging in...

[The Grim Reader]

At least now I know I am set for here. Oh, and my password isn't that easy lol. So don't try anything.

[Kindamoody]

RobbieThe1st, are you saying that only the password itself is fed to the hash function? I thought it was common practice to add some more data to the string before encrypting, e g some site-specific string, or the user name?

[aj]

RobbieThe1st, are you saying that only the password itself is fed to the hash function? I thought it was common practice to add some more data to the string before encrypting, e g some site-specific string, or the user name?

Mmm. This is known as salting, and effective in defeating rainbow table attacks, where hashes are pre-computed.

Unfortunately, salting isn't as common as you might think.