BY RAY DANIEL
It’s time to speak the ugly truth: The notion of a password (a string of letters memorizable by a human) is dead, best relegated to job of keeping people off of your 1987 IBM-PC.
Last month, eBay announced that hackers had stolen its database of user passwords, followed by a similar announcement from Bit.ly the week after. However, eBay and Bit.ly weren’t the only ones to find out the system wasn’t as secure as they thought: Adobe and Linkedin have both found their passwords prey to Internet hackers in the past few years.
Based on this evidence, you’d be justified in saying “What, again?” or—more likely—“So what?” They’re both good questions, ones best answered by looking at what hackers do once they steal your encrypted password.
The good news is that hackers can’t decrypt your password because modern cryptography cannot be decrypted with current computers. (This is true even though hackers on TV can decrypt anything if simply motivated by the taunt, “I thought you were good.”) If your password is stored properly, no one can decrypt it including the website using it.
Instead of decrypting passwords, smart websites store only the encrypted string. This means that when you type a (terrible) password like “mypassword,” they encrypt it and store “91dfd9ddb4198affc5c194cd8ce6d338fde470e2” instead. When you log in with mypassword, the website encrypts the password and compares it to the encrypted string in the database.
While the good news is that hackers cannot decrypt your password, the bad news is that they don’t have to; they just have to guess it. Given a newly stolen user database, they run password cracking software such as John the Ripper, which looks at each encrypted password in the database and starts guessing. They guess hard and they guess fast.
A hacker’s password cracking setup not only includes customized password guessing software and enormous databases of previous passwords (such as mypassword), it also includes modified graphics cards that allow them to crack tens of thousands of passwords in an hour. This includes secure looking password such as “Coneyisland9/” and “momof3g8kids.”
Notice what hackers do not do. They don’t try to learn your kids’ names, which would be creepy even for them). They don’t know your dog’s name or your school or the make and model of your car. They don’t sneak into your house and read the password off the Post-it note on your computer. All they do is guess up to 8 billion times a second and see if they can find a match.
If your eBay (or Bit.ly, Adobe, or Linkedin) password consisted of any recognizable words, it’s a good bet that it’s been cracked.
And what do the hackers do with these passwords? In the case of LinkedIn, they posted them online for anyone else to use. That’s right, your LinkedIn email/password combination may will be online. (You can check here at LastPass.com.)
Again you may ask “So what? A hacker has my password to LinkedIn. What’s he going to do, recommend me to death?” You’d be right, as long as the email password combination you used for LinkedIn was only used on LinkedIn. But, that’s probably not the case, is it?
Truth be told, most of us have a series of characters that we call “my password” and we use that password all over the place. Once hackers have that password from one site, they can use it on others. What are the odds of that? Just ask the victims of Oleg Pliss.
Apple iOS users in Australia (and now the U.K. and U.S.) have been waking up to find their iOS devices locked by someone claiming to be named Oleg Pliss. Good old Oleg has locked the phone using the person’s iCloud account and now demands $50 “For unlock.”
How did “Oleg” get into the iCloud account? At this point in the investigation most signs point to username/password combinations that had been stolen from other sites and were now being used on iCloud. Apparently, Oleg Pliss’s victims had reused their passwords.
Long story short, reused passwords are bad news.
Given that password databases are probably going to keep getting stolen for the foreseeable future, how do we keep from getting Oleg Plissed? There are three easy steps:
Use Two-factor Authentication
Two-factor authentication requires that someone have both your password and your cell phone in order to log into a website. When you have two factor authentication in place, the hacker can have your password but still not be able to get into your account.
Google, Facebook, Twitter, Apple, and a growing number of websites allow users to choose two-factor authentication. Choose it whenever you can. Every person suffering from the Oleg Pliss attack would have been safe had they turned on this feature.
Use a Password Manager
Passwords have always suffered from a fatal flaw: people have to remember them. This keeps humans from creating truly random passwords such as jL+$9u;V82ihuUJsZKCq, instead replacing them with memorable but guessable passwords such as MyD0gFr3d. Having to remember passwords also keeps us from having a different password for every website.
Password managers get rid of this problem by removing memory from the equation. The human remembers the one password used in the password manager (and for the love of God no where else) and then the password manager remembers the rest.
Password managers allow true machine-to-machine passwords. The password manager generates an unguessable string of gibberish such as gPT$J8WPp#9JBrNY7a}g and remembers it for you. You are no longer the weak link.
Create Wordless Passwords
If you don’t want to use a password manager but would rather memorize “your password” then at least make the password unguessable by using phrases to generate passwords instead of words.
For example, take the first line of a favorite book “In a hole in the ground there lived a hobbit” and turn it into a password using the first character of each word, perhaps replacing the “I”s with “1”s and including the period: 1ah1tgtlah.. It’s unlikely that this password will exist in any hacker’s password dictionary.
It’s not clear how the password, a string of characters memorizable by a human, became the central computer security mechanism of the 21st century, but it is clear that the human-memorized password is obsolete.
We need to move on to the next stage in security where unique random passwords managed by password managers and two-factor authentication keep our data safe even after a password database is stolen.
Oleg Pliss will not be happy to see the password era end, but the rest of us will never look back.