Passwords and Hashing š§©
Enter a password with at least 8 characters, a digit, and an uppercase letter.
Weāve all seen something like that before. After all, the average person uses over 100 passwords to access accounts and websites. In this chapter, weāll look at how secure passwords really are - how theyāre created, stored, and hacked.
Passwords: the pretty and the ugly
Even before computers were around, a password meant a secret word that gave you access to something special āØ. With the dawn of the World Wide Web in the early 2000s, we now usually refer to passwords as that phrase or jumble of characters we enter whenever we want to log into our email or bank account.
Which of the following could be a password?
Any sequence of characters can be considered a password! However, as you can see from the example above, some passwords are more secure than others. Letās see another example: which password do you think is more āsecureā?
Even though the word āalligatorā contains more characters than ābc911810ā, we most likely think of āalligatorā as being less secure because the data isnāt random.
Just for fun, letās try some more examples. Select the more secure password:
A common mistake that people make is using special dates as passwords or pins. The reason is that attackers can easily retrieve this information from the internet ā if youāve posted a photo of yourself on your birthday, anyone could deduce the exact date and year you were born in. On the other hand, there are a large number of words in the English alphabet - chaining 4 of them together drastically increases security.
Choosing a password
Now that youāve seen a few examples, letās come up with criteria for a āstrongā password.
First, the password should be randomly generated. This doesnāt mean that the password has to be gibberish - you can also randomly choose a word from the English alphabet, for example.
Most importantly, the password should be hard to brute-force. This technique involves trying all password combinations until you reach the right one.
For example, even though there are many, many words in the English alphabet, even a normal laptop can churn through all of them in mere seconds. If an attacker had access to a more powerful machine, they could easily try all possibilities for your password.
Now, how strong is āstrongā?
You can roughly estimate that computers will brute force 1 million items in a second.
How many words are in the English alphabet?
So, many of the passwords we use in our daily lives are surprisingly weak! Even if you chose a random word from the entire English alphabet to be your password, an attacker could easily try all possibilities.
Now, how many possible 2-word English passwords are there?
Since the two English words are selected randomly, there are 200,000 possibilities for the first word and 200,000 for the second word. In total, this arrives at 200,000 * 200,000 = 40 billion!
As you can see, adding another random word drastically increases the password strength.
Summary
In summary, passwords can easily be brute-forced and cracked in mere seconds.
In addition, most applications will hash the passwords they store - that is, they will apply an irreversible function to the password so that an attacker cannot recover the original password even if they retrieve the entire password database.