Creating secure and strong passwords is crucial in today’s digital age. It takes less than a second for an average computer to crack any password that is a typical word in a dictionary of any language, up to eight characters long. Despite this, many people still use weak passwords, which can put their finances, privacy, and personal information at risk. This includes credit card details, private photos and videos, social media accounts, and even company documents. If your accounts get compromised, the consequences could be severe and far-reaching.
Imagine that you live in an apartment in a guarded housing development, which is monitored by a number of cameras, and security is designed to let in only those with an access card. Each of these elements is supposed to increase your security, so does this mean that you can give away your access card to your apartment without any worries or simply not lock it? It’s hard to imagine such a situation, isn’t it? So why do so many of us replicate such behaviour in our approach to password management?
Passwords play a crucial role in cybersecurity, serving as the first defence line for individual users and large corporate networks. Despite this, we often underestimate their importance, shifting responsibility for our security to high-level encryption methods such as SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security), advanced firewalls, and antivirus software that can eliminate complex malware and Trojan-like scams. However, history has repeatedly shown that without the initial barrier provided by passwords, malicious users with enough determination and sufficient experience in coding and creating exploits can find their way into most network infrastructures.
Have you ever felt frustrated while creating a new account when your preferred password doesn’t meet the security standards of the service, and you have to add special or numeric characters? Password policies have become a norm for corporations or services that store confidential information and for any service that stores user credentials. Unfortunately, service providers are not obligated to require users to create strong passwords. However, having a strong password is more crucial than ever.
Read the first in this series of texts: Authorization by Facebook, Google, Github.
In today’s world, most of us have shifted a significant part of our daily lives to the Internet. This includes remote work, electronic transactions, social media, and more. Consequently, it is vital to consider how much sensitive information we store on our devices. With advanced hardware and computing capabilities, hackers can easily crack weak passwords within moments. If the same password is used across multiple accounts, the attacker can gain access to a wealth of personal information, including banking data, social media accounts, and other critical systems. This can lead to identity theft, financial loss, and other forms of fraud.
Using the same password for multiple accounts is a real convenience for the user, but it carries a lot of risk to our data. Hijacking one account can lead to losing access to all the profiles you have created. If you want to learn more about mitigating the risk associated with using a single password for multiple systems, we invite you to read our previous article “OAuth – authorization by Google, Facebook”.
Ways to encrypt passwords
It’s essential to understand how our passwords, which we create during registration, are stored. Before we dive into the rules for creating passwords, let’s discuss the storage of passwords. In a previous article, we discussed the importance of trusting the service we give our data. No service should store passwords in an unencrypted form. Unfortunately, there have been cases where passwords were not properly secured, leading to data leakage.
Authentication is the process of verifying the identity of a user by providing them with a set of credentials such as a username and password. To ensure that the credentials provided each time a user wants to access the application are correct, we need to store this information in our database for future comparisons. However, storing passwords can be challenging and requires following specific rules, guidelines, and best practices. In the rest of this article, we’ll explore the mechanisms that make storing passwords safe and more manageable.
The black box – the login mechanism
Storing passwords securely is crucial for any application that requires user authentication. One way to do it is by creating a table in the database that maps each username to its corresponding password. When a user attempts to log in, the server receives an authentication request that includes the username and password. The system then searches the table for the username and compares the given password with the stored password. If the credentials match, the user is granted access to the application.
The security strength and resilience of this model depends on how the password is stored. The most primitive, and therefore least secure, format for storing passwords is plain text (the term refers to readable data transmitted or stored in “plaintext” form).
Storing passwords as plain text can pose a severe security risk. If an attacker manages to gain access to the database and steal the password table, they could potentially have access to all user accounts. This problem becomes even more significant when users reuse the same passwords or variations of them for multiple accounts, as it can allow an attacker to gain access to other services beyond the compromised one. Clearly, this situation presents a significant security concern and should be avoided.
It’s important to remember that not all attacks come from external sources. Sometimes, the threat can come from within an organisation. For instance, a fraudulent software engineer who has access to the company’s database could potentially misuse their authority by retrieving passwords in plain text and gaining unauthorised access to any account in the system.
A more secure way to store a password is by first converting it into a data that cannot be reversed to the original password using a cryptographic hash function. This technique is called hashing.
Hashing
In the field of cryptography, a hash function refers to a mathematical algorithm that converts any given data into a fixed-size string of bits. The original data is referred to as the input, while the output of the algorithm is a string of characters of a fixed size, commonly known as a hash.
A secure cryptographic hash function should be:
- Deterministic
The same input will always generate the same hash. - One-way
Obtaining the original message from knowing its hash is a computationally difficult task. - Collision resistant
Finding any two messages that have the same hash is a computationally difficult task. - Highly randomised
A small change in the input should lead to a significant and uncorrelated change in the output. Without this property, the use of cryptanalysis methods will allow you to predict inputs based on the output.
Hash functions are widely used in various applications. However, their assumptions are typically unchangeable – the hash calculation should be easy and practical, but it should be difficult or impossible to generate the original input data only from the hash value. Unlike encryption, hashing is a one-way mechanism. Therefore, before storing a user’s password in the application database, a cryptographic hash function must be applied to it, and the resulting hash will be stored in the database. One challenge that arises at this point is deciding which hash function to use.
Commonly used hashing algorithms include Message Digest (MDx) algorithms, such as MD5, and Secure Hash Algorithms (SHA), such as SHA-1, and SHA-2 (which includes the widely used SHA-256 algorithm). Later in the article, we will learn about the strength of these algorithms and how some of them have become obsolete due to rapid computational advances or have stopped being used due to security vulnerabilities.
Using cryptographic encryption to store passwords more securely
When we talk about a deterministic function, we mean a function that will always produce the same output for a given input. This is extremely important when it comes to authentication because we need to be certain that a particular password will always yield the same hash. Without this guarantee, it would be impossible to accurately verify user credentials using this particular technique.
To integrate hashing into the password storage workflow, when a user is created, instead of storing the password in plain text, we mix the password and store the username and a hash pair in a database table. When a user logs in, we hash the sent password and compare it with the hash associated with the given username. If the hashed password and the stored hash match, we have a valid login.
Collision attacks destroy hash functions
Since hash functions can take input data of any size, but produce hashes that are fixed-size strings, the set of all possible inputs is infinite, while the set of all possible outputs is finite. This makes it possible to map multiple inputs to the same hash. Therefore, even if we could reverse the hash, we would not know for sure that the result is the selected input. This is called collision and is not the desired effect.
Cryptographic collision happens when two different inputs produce identical hash values. Thus, a collision attack is an attempt to find two inputs that result in the same hash value. Attackers can exploit such collisions to deceive systems that rely on hash values by using invalid or malicious data to fake a valid hash. Therefore, cryptographic hash functions must be designed to resist collision attacks and make it extremely challenging for attackers to find these identical values.
Types of cryptographic hashes
The most popular cryptographic hashes are implemented based on two types of algorithms: MDx and SHA. Due to the fact that it is quite easy to find collisions, representatives of the first group (MD4, MD5) are now rarely recommended. It is recommended to use algorithms of the second group, at least in the form of 256-bit function value.
MD4
Starting from the early 1990s, MD4 hash function has been the basis for the development of many other hash functions like MD/SHA. However, in 1992, its validity was questioned when the last two rounds of the algorithm were successfully attacked. Subsequently, the first two rounds were also proven unidirectional, and a collision-finding algorithm was published. Finally, in 2004, MD4 came to an end when a team of Chinese researchers led by Professor Wang found and published a formula for collision generation.
MD5
In 1991, the MD5 function was introduced as a successor to MD4. However, just two years later, researchers found pseudo-collisions. In 1995, collisions for its compressing function were demonstrated. Further weaknesses in the algorithm were discovered in 2004 (the method of obtaining collisions for two-block messages) and 2006 (an algorithm specifying collisions using the so-called tunnelling was published; in this case, only a minute was enough to find a collision).
SHA 0/ SHA 1/ SHA 2
The SHA-0 algorithm was developed in 1993. Since then, the detection of collisions of increasing complexity has led to the creation of newer generations of this function.
SHA 1 replaced SHA 0, but it also had vulnerabilities, leading to improvements in the SHA algorithm.
In 2001, SHA 2 was introduced with three versions generating hashes of 256, 384, and 512 bits. It has become the recommended standard (FIPS PUB 180-2) since no successful attempts have been made to break the function as of 2002. However, given that a collision may be discovered soon, NIST initiated a competition in 2007 to create a new hash function, which is currently known as SHA 3.
The MD and SHA families, while widely used, have a design flaw. They are designed to be computationally fast, which has a direct impact on password security. The faster the function computes a hash, the more vulnerable it is to brute-force attacks.
Modern computer processors and GPUs are capable of computing millions, or even billions, of SHA-256 hashes per second. This is why a cryptographic hash function designed for password hashing needs to operate slowly in order to deter attackers. Additionally, this feature should be adaptive so that it can adjust to future advancements in hardware performance by slowing down the hashing process.
Technology is evolving at a rapid pace, providing significant benefits to both software engineers and attackers. However, some cryptographic programs are not designed to keep up with the increasing computing power. As previously explained, the strength of a password’s security depends on how quickly the cryptographic hash function can compute the hash of the password. A faster hash function will run more efficiently on powerful hardware.
Do you want to implement a scure web application?
Are you looking for a contractor who puts code quality first?
We invite you to a free consultation – we will talk and see if we can help.
Bcrypt
The Bcrypt function is an adaptive hashing function based on the symmetric block cypher Blowfish. It introduces a work factor, also known as a safety factor, to provide additional security.
The work factor value determines how slow the hash function will be, meaning that different work factors will generate different hash values at different times, making it highly resistant to brute-force attacks. Given further advances in technology, we assume that computers will become more powerful every year, but we will be able to increase the work factor to offset this, i.e. slow down the attack.
What does a weak and strong password mean?
We often hear about the importance of creating a strong password and the risks of using a weak one. However, do we truly understand what makes a password strong or weak? In this article, we will explore the terminology associated with password strength and provide some insights on how to distinguish between a strong and weak password.
Weak password
Weak passwords often play a significant role in system breaches, making it crucial to understand what constitutes a weak password. Some systems do not require users to create complex and secure passwords, leading to the use of simple strings of characters like “password,” “password123,” “Password@123,” “12345,” or “QWERTY,” which are extremely easy for hackers to crack.
Creating a strong password requires more than just length and character complexity. It also involves avoiding guessability. For instance, “Joe@1992” may seem complex but it can still be guessed. Therefore, it’s best to avoid using a password that can be related to a name, place, or mobile number.
When creating a password, it’s important to avoid using personal information such as your name, family members’ names, significant dates like anniversaries and birthdays, or the name of special places. Also, avoid using common words like “password,” and sequential lists of numbers or letters. Using such information makes it easier for others to access your account, so it’s best to stay away from them.
It’s essential to avoid using words from the dictionary in your password. Hackers often use dictionary attacks to crack passwords.
Hackers can easily detect commonly used substitutions, such as replacing “a” with “@” or “l” with “!”. This means that such substitutions do not offer effective protection. In fact, with a brute force attack, hackers can crack a password consisting of a random word with common substitutions and numbers or symbols added at the end in as little as 3 days.
Features of a weak password
- The password contains less than eight characters.
- The password is or contains a dictionary word.
- Patterns of words or numbers, such as aaabbb, qwerty, zyxwvuts, 123321, etc.
- It contains date of birth or other personal information, such as addresses and phone numbers.
- Includes names of family, pets, friends, co-workers, fantasy characters, etc.
- Each of the above written backwards.
- Each of the above preceded or ended with a digit (e.g., password1, 1password).
Strong password
Creating a strong password involves several key elements, with length and variety being the most basic. A longer password is more secure because it contains more characters, resulting in an increased number of possible combinations. A password comprising of upper and lowercase letters, numbers and special symbols also improves password security. Following these rules can make it much more difficult for someone to crack your password. This approach can significantly prolong the time it would take to guess your password from a few days to over a hundred years.
Let’s notice how we have increased our password security at a low cost by mixing lowercase and uppercase letters, numbers and special characters. It’s worth mentioning that an “uncrackable” password usually means the time it takes to crack it is unprofitable for the hacker. It all depends on the structure and length of the password, the type of cryptographic hash, and the hacker’s hardware. All of this affects the complexity of the password and the computing power of the hardware, which boils down to the number of possible combinations of characters from which a password can be created and the time in which all combinations can be checked. More on this later in the article.
Consider the number of possible combinations with a 6-character password, using different types of characters:
- Digits only (0-9)
________ | ________ | ________ | ________ | ________ | ________ | |
number of possible bets | 10 | 10 | 10 | 10 | 10 | 10 |
possible passwords to create
- Lowercase only
________ | ________ | ________ | ________ | ________ | ________ | |
number of possible bets | 26 | 26 | 26 | 26 | 26 | 26 |
possible passwords to create
- Lowercase and uppercase letters
________ | ________ | ________ | ________ | ________ | ________ | ||
number of possible bets | 52 | 52 | 52 | 52 | 52 | 52 |
possible passwords to create
- Lowercase and uppercase letters and digits
________ | ________ | ________ | ________ | ________ | ________ | ||
number of possible bets | 62 | 62 | 62 | 62 | 62 | 62 |
possible passwords to create
- Lowercase and uppercase letters, digits and special characters
________ | ________ | ________ | ________ | ________ | ________ | |
number of possible bets | 95 | 95 | 95 | 95 | 95 | 95 |
possible passwords to create
The perfect password is one that is easy to remember but “impossible” to crack. While finding the perfect password is difficult to achieve, there are a few rules you can use to get as close to it as possible.
It’s crucial to have different passwords for each of your online accounts. Using the same password for multiple accounts can be risky because if one of your accounts is breached, it can give hackers access to your other accounts. To ensure maximum security, it’s always recommended to set a unique and secure password for each account.
Features of a strong password
- It has at least 8 characters;
- Includes both uppercase and lowercase letters (np. a–z, A–Z), digits, special characters (eg. 0-9!@#$%^&*()_+|∼−=\′{}[]:“;'<>?/).
- It contains no words available in any language, slang, dialect, etc.
- It is not based on personal information, family names, etc.
Summary
In today’s world, having strong and unique passwords is crucial to safeguarding your online accounts and personal information. Although the internet may seem safe, it is more like the Wild West, with many looking to steal your identity and money. One of the best ways to protect yourself is to have a complex and lengthy password. Such passwords make it incredibly challenging for hackers to crack your accounts, regardless of the type of attack. As a general rule, the more complex your password, the higher the level of security it provides for your online accounts and devices, ensuring maximum protection against unauthorised access.
Passwords in combination with user account names, act as the primary keys to access network resources and data. Therefore, every system must have an efficient password policy, which is a crucial element of security. However, implementing such a policy is more challenging than it may appear. Even though users follow adequate password length and complexity, they should also refrain from selecting commonly-used passwords, short alphanumeric strings, or single-letter characters. Additionally, writing down passwords or sending them over the network in plain text should be avoided.
It’s not enough to rely solely on expensive, sophisticated firewalls or other high-security measures to protect against intruders. Therefore, it’s crucial to use strong passwords not only for regular accounts but especially for administrative and service accounts.
Your password is the only thing that stands between your personal information, identity, and money from being accessed by cybercriminals. While reading this article, if you realised that any of your login credentials are not strong enough, we recommend changing it to a password that meets our guidelines. Ensuring your password is strong and secure is essential to keeping yourself safe from online threats.
If you want to enhance your online security, then you can stay updated with our blog. We will soon be publishing more parts of our online security series. In the upcoming posts, we will discuss password-cracking techniques and analyse the time it takes to crack the most common shortcuts. This will give us a deeper understanding of what makes a password more secure.
Are you going to develop a web application or are you in the middle of such a project, and code quality and security are very important to you? We would like to invite you to a free consultation. Let us explore together if we can offer any assistance to you.
Are you going to develop a web application or are you in the middle of such a project, and code quality and security are very important to you?
We would like to invite you to a free consultation. Let us explore together if we can offer any assistance to you.