Passwords have been in existence since very long and have worked wonderfully well for most of us but recently the environment has changed. Its time to reflect upon and investigate what future holds.
Almost every aspect of your life (personal as well as professional) has a very strong digital footprint and many a times, we leave abundance of information about ourselves voluntarily. Add losing our passwords to the mix and our entire life could easily be hijacked. Sounds scary??! It is not very far fetched, if we are not careful on how we manage our online accounts in the near future.
Do you have too many social media accounts, bank logins, utility payments to make and several other e-commerce websites where you registered but unable to keep track of your passwords? Do you reuse passwords for multiple websites? I can certainly assure you that you are not alone! But, you do not have to endure this stress, read ahead and follow some simple steps, you should be fine.
Although several blogs/articles have already been written in this space by cyber-security experts, including Krebs, this is a humble attempt to present the information to non-techies in a simplified fashion.
Before we jump into some specific solutions, let us look at the details of the problem itself to appreciate its complexity:
Many websites still save passwords
Are you wondering, why is that a surprise? Passwords are too dangerous to be saved both for us and the company/organisation doing it. It is dangerous for the company because it can be sued for breach of confidential data and for us since we have been exposed in the wild wild web and almost always we tend to reuse passwords at least in a few websites, if not in all of them.
Passwords should NEVER EVER be saved by websites, in any format (including in encrypted format)! But how would you know if a particular website is storing our passwords internally? Some clues might offer insight into how they work. Look for the “Forgot password?” link. Clicking on this link should only lead you to resetting the password and not recover it. If so, it is highly likely that they do not save it. The only way to be able to “recover” should be by changing it to a new password. You should never be able to recover an old password.
“Garbled and irreversible”
What happens behind the scenes (in websites that care about your privacy) is that these passwords are first converted into a unique garbled value by using a crypto-algorithm called ‘hashing’. You can create a unique hash with a given password but you cannot recover the password from a given hash.
A simple and a very common password like ‘123456’ would be converted to something like the below text/value after good garbling algorithm is used.
The meaning of garbled text from this above value appears fairly evident but if you are wondering why is it ‘irreversible’? These algorithms work only 1 way as mentioned earlier, entering a password provides a mangled text but it would be very very difficult to crack/guess the password from the above text, hence irreversible.
Now, there’s a catch. If I knew just the algorithm which is being used by a particular website and have access to the garbled text of a particular user’s password(from another hacked/compromised website), I can theoretically keep guessing passwords until these garbled text values match, assuming the user has re-used the password.
Complex is good!
So, to make things a bit more complex, websites usually add one more unique value to every user’s password before sending it to garbling algorithm. Taking the above example of ‘123456’, adding unique value of ‘salt4user1' (which is specific only to a particular user) is added and hence the new garbled text becomes something like:
If you are thinking, most of the above has made me more nervous since I understood little, do not worry! All you need to remember is that passwords:
- should not be re-used as much as possible and there is immense as well as inherent danger in it!!
- try to make your passwords non-trivial & lengthy. They should not be only words (from the English dictionary), names or basic combinations like abc123
- don’t use websites that allow retrieval of passwords, they should allow you only to reset it
You could also be possibly wondering now, if passwords really help if they need to be non-trivial and should NOT be repeated. Are they a panacea or are they too much of a headache? The next part of the article is most important in terms of what steps you need to take for securing your online identities and accounts:
Practice the minimum safety measures
- Always ensure you are on a secure website
- Also, add extensions/add-on like “https everywhere” to your browser, which will ensure that all web traffic from your browser is always unreadable to intruders.
Nothing is perfect when it comes to online security
- When you are on a bank or any other financial website, government websites that deal with confidential data always ensure that the website has a virtual keyboard like the one shown below.
2. A really customer-centric website will have more than one form of authentication like TOTP (time-based one-time password). Use ones that have at least 2 of them, more the merrier. This is called multi-factor authentication (MFA).
3. Password managers
We already discussed creating complex passwords AND remembering is quite a challenge!! Addressing this specific issue, software known as “Password Managers” are available which tabulate, manage and remember all our passwords in one single place.
They “auto-generate” as many highly complex passwords for you as you need with the necessary combination of alphabets, numbers, special characters also can make it to the length you desire. They are also autosaved, so that you can just copy and paste the password, according to the website rather than having to remember them.
Are you wondering if that sounds too dangerous? You are exposing yourself too much if you visit their website and store all their websites there. Instead, the experts highly recommend just an extension that sits on the browser and hence all passwords are still local to your machine.
- Browser extensions (eg. LastPass)
- Personal Diary
Yes! You read that right. The most traditional and perceivable as archaic is one of the recommended forms of trying to remember passwords, even by most experienced cybersecurity experts. However, one tip from end would be not to write down the password itself explicitly and mask with some meta-tag or code. For example, if your password consists of your daughter’s DOB, your pet’s name and a usual special character like $ that you use — write down just the clues, not the password itself, ONLY IF you are absolutely sure that you can recreate the combination in the exact same order.
SUMMARY: In conclusion, passwords are not going away very soon but are likely to be strengthened by combining multiple authentication mechanisms and you need one or more of the above methods to protect yourself.
Disclaimer: Above content is entirely original, although assimilated from various sources over a period of time.
Author is the founder & chief consultant CyberSafeHaven Consulting