Over the past few months I have read a few articles about password security. This seems to have become a popular topic among many in the programming community. The problem is that most of these articles were written for programmers who understand what a hash and salt are, no I am not talking about putting salt on your hash-brown. I'm going to attempt to make this a bit easier for everyday users to understand.
First, the security of your password is only as good as the security of the website that is storing it. If the website stores your password as "plain text" - meaning "kitty12" is stored as "kitty12", then your password is NOT secure. You might ask "how else are they supposed to store it?" The answer is it should be secured using a hash and salt. Salt is some other text (ideally a combination of text, numbers, and symbols) that is added to your password (it can be added to the beginning or end). The salt is kept hidden so that it is only in the code. With the salt your "kitty12" becomes "kitty12nZ$39!k9". This extra text makes it harder for a hacker to figure out what you actual password is.
Next comes the hash. A Hash is kind of like a fingerprint. Like a fingerprint a hash is unique. There are a variety of methods to generate a hash, some more secure than others. After applying the hash to "kitty12nZ$39!k9" it becomes "e6dbe0e25854ea0829f8f736fa9952ff". The hashed text is what should be stored by the website. Why does it matter how my password is stored? If a hacker gets a hold of a database and your password is stored as "kitty12" they now have the same password you probably used on a dozen other websites. If your password is stored as "e6dbe0e25854ea0829f8f736fa9952ff" it becomes extremely difficult for a hacker to undo the hash and figure out your actual password.
Many websites will require you to have a minimum password length or use letters, numbers, and symbols. A 6 character password with only letters and numbers can be hacked in about 3 seconds, if you jump up to 8 characters it would take about 4 hours. Once you add symbols your 8 character password could withstand a hacker for about 465 days. My point is the longer your password and the wider variety of character types will make your password more secure.
Your password should be a minimum of 12 characters and should include lower case, upper case, numbers, and symbols. But that becomes very hard to remember! The best way to have a secure password and be able to remember it is to stop using passWORDs and begin using passPHRASEs. Instead of "kitty12" use a short sentence or phrase such as "I have 12 kitties!" This is now an 18 character password (spaces count as a character), has upper and lower case letters, numbers, symbols, and is easy to remember!
Now that you know how to create a secure password it is time to make sure the websites you use are storing them properly. It would be difficult to figure out if they are doing it properly so we will just check to make sure that they are not doing it wrong. Remember what I said about it not being safe to store passwords as "plain text?" The easiest way to find out if a website is storing your password as plain text is to click on the "I forgot my password" link. Usually they will ask you some pointless personal trivia questions then will send you an email. If the email has a link for you to create a new password then the website might be storing your password properly. If the email gives you your password then they are doing it wrong! If a website can send you your password send them a nasty email and tell them they are jeopardizing your password security and they need to fix it!
If you want to learn more about password security and hashes I would recommend checking out Jeff Atwood's blog Coding Horror. Specifically these articles: You're Probably Storing Passwords Incorrectly and Speed Hashing.
No comments:
Post a Comment