Passwords for the Average Jo(e)

Normally this image would be a dark, hooded figure with a stream of letters and numbers rising above their head. Hackers don’t look like that, nor work that way.

TL;DR; — this is a quick read for non-computer technical people to understand some basics about that login screen, how to identify some sites that don’t protect your password adequately, and *why* you need to do a few of the things to protect yourself that programmers are always telling you. If you *are* technical, please pass this along.

Here’s everything you need to know about encryption:

  • Don’t ever make your own.
  • Properly encrypted passwords are extremely difficult to “decrypt” (return to a normal string of letters) by an outside source
  • Encryption takes whatever word or group of characters you give it and turns it into a weird set of characters of a consistent length. Say it again: “Of a consistent length”.

This means if my password is “cat” or my password is “supercalifragilisticexpialidocious”, they will both end up looking something like (but different for each of those words):

$2y$10$Qcg/XRSITHsYj2EPlURHlOAVmnMBVelzufvJqsGis/EL0xh.dHrre

Why do I care?

You don’t — unless you get a signup message saying your password of choice “exceeds the maximum of 45 characters” or whatever number.

All passwords — regardless of length — are converted to a hash of a consistent length to be stored in the database. Therefore , the maximum length of your password is not relevant — unless they are not encrypting your password. This is called “storing in plain text” — ie, they can look in the database and actually read your password normally — and is usually found in the same sentence as “data breach”. Once someone breaks into the database, they have everyone’s emails and passwords.

Don’t confuse this with minimum required length. This is *good* and helps make sure you use “strong password”, which we’ll explain next.

Rules & Feedback — the Good, the Bad and Downright $%&# Wrong

Feedback is the message you get when you type the wrong password.

There’s not a lot to say about the feedback except for one very common mistake — they should tell you that “either your email OR password is wrong”, regardless of which one has the problem.

The reason is very simple — if they tell you which one has the problem, it tells the crackers whether or not your email actually exists on this server. Once they know it does, they can focus on their other tools and techniques for breaking your password.

Your email is *everywhere*. Crackers don’t even need to do anything sneaky — legitimate corporations sell your email to anyone who wants to buy it. Most people have all the standard social media accounts, even if they don’t use them. Even if they think they’ve been deleted.

Rules are what that sounds like — it must be at least 8 characters long, it must have a number in it, etc.

Good rules are ones that force you to make your password longer and more random. This helps defend you in a few ways:

  • Social Engineering attacks. This is what most people tend to think of when they hear “password cracking” — one guy sitting there typing in different values until he gets a hit. This is one reason to keep all your profiles as private as possible. ”Oh, look — his children are ‘Shawna’ and ‘Chad’. Let’s just…yep, and we’re in!” Don’t make it so easy.
  • Brute force dictionary attacks: The cracker runs a script that tries the top 10,000 words from the “dictionary”. This isn’t just Webster’s — it will include things like “p@55w0rd”. That will nail most of you. Fortunately, system administrators can defend against these pretty easily.
  • Brute force attacks: Similar to the dictionary attacks mentioned above, except now they have to try every different random combination. If the possibilities include capitals, numbers, #$%&, etc the combinations are exponentially larger, so brute force attacks become rather difficult to pull off before they are detected and shut down by the site administrator. 
    This is also important for a technical reason that goes a little beyond this article, but in simple terms if the cracker does manage to get your hashed password from a data breach and the site allows a full set of characters to be used, it should be even more difficult (than it already is) to reverse engineer and learn what your password is.

What can you do about it?

There’s a lot of advice given to “ordinary people” about what they should do personally to stay safer, but little mentioned on identifying *websites* that don’t follow safe procedures, and what to do when you find one. It is important to “out” these sites in some manner — contact them directly, point them out to more technical friends when you come across a site (who will usually not be as gentle with them), and generally try to get them to change. Keep your eyes open for (and be careful about using) sites that:

  • restrict the length or type of characters you can use in a password
  • give feedback as to what mistake you made when entering data
  • send you a password in plain text via email — they should always send you to a password reset page
  • read aloud over the phone or give any indication they can see your actual password

For yourself, there are a ton of great articles to help you stay more secure, so read and remember some basics. Download 1Password or Password Safe.

And stop using “shawnachad”.

Hope that helped!