Passwords are everywhere. From the four-six digit passcode to get you into your iPhone, the (hopefully) complex login details you use to access your online banking to the secret word that allows your Grandparents to pick up your children from school. A password secures and provides access to the most precious things we own and hold close. But have you ever wondered how secure your passwords really are? How easily can someone guess your favourite dog’s birthday or the destination of your honeymoon, your first born’s birthday?
Online security is one of the many facets of life that we take for granted these days and we (hopefully correctly) assume that the gatekeepers to our personal data (the banks, the building societies, the supermarkets) are doing their utmost to ensure that any access to our information is secured and protected. Any website that requires you to log in using a username and password MUST be storing your passwords in an encrypted form. If they are not… well, they should be.
Protecting The Password
Most modern systems store your password not as they appear in plain text, but as a set of other characters calculated to represent the password in a process called hashing. When your password is hashed, it is turned into say a 32 digit number, and this number is stored against your account in the database. In the event of a hacker gaining access to the passwords they will only have the hashed representations. They would have to reverse engineer these hashes to turn them back into the actual password and gain access.
There are a number of ways that a hashed password can be turned back into the actual, plain text version and these are what most hackers will employ to gain access to other people’s accounts and data. The ease at which they can do this successfully is partly down to the particular type of hashing employed by the system and also by the password itself and how complex it is in the first place. The more complicated the password, the more variations and so the harder it is to work out.
So, Let’s See How That Works
Consider your password as being a very simple set of 4 characters that can either be a 1 or a 0, e.g. 1111, 1110, 1100 and so on. It should be clear that there are only a certain number of variations of these 1s or 0s that can be made and so guessed by the hacker.
The exact number of variations is calculated as 2 to the power of 4. As there are two possible characters that can exist in each position and 4 positions. 2 to the power 4 gives us 16 possible passwords. Guessing these 16 possibles could be done by hand pretty quickly and almost instantly by a computer.
If we increase the complexity of the password to say using any number between 0 and 9 (10 possible characters) in each of the 4 positions, the number of variations is now: 10 to the power of 4 = 10,000 possibles.
And In The Real World
To bring us into a real world scenario let’s allow the use of any alphabetic character (a to z), upper or lower case and numbers (0 to 9) in each of the 4 positions. The number of possible characters in each position is now: 26 + 26 + 10 + 10 = 72. So, the number of possible passwords becomes 72 to the power of 4 = 26,873,856.
The relative increase in the number of possible passwords increases at a huge rate with just a small variation in either the number of characters to choose from or the size of the password itself.
A password of only 4 characters whilst allowing for over 26 million variations in our last example is still very insecure; with today’s computing powers guessing those 26 million or so would not take huge amounts of time.
If we require our password to be 12 characters long and made up of alphabetic upper case, lower case and numbers the new variation count would be 72 to the power of 12 = 19,408,409,961,765,342,806,016.
Guessing all of these would take an extraordinary number of years, running into the thousands.
It is always important to create your passwords with a minimum of 12 characters made up of the alphanumeric and where possible special characters (e.g. £#@\ etc) to further boost the variation count and increase the relative security. Best practice also suggests that a password should be random in nature and not adhere to a pattern that includes normal, dictionary words. One hacking approach makes use of hashing dictionary words in advance and using these to compare to stolen hashed password data. It doesn’t take too much effort to create a table of hashed dictionary words and then storing that for later use against stolen account data. These types of tables are known as Rainbow Tables.
So in conclusion, always make your passwords long, random and use all character types where possible.