Passwords – love them or hate them, they’re now a part of everyday life. The first computer password was invented in 1961 at the Massachusetts Institute of Technology (MIT) to allow multiple people to share computer resources. In 1962, Allan Scherr, a Ph.D. found a way to print out the (what was thought to be) secure password list in what became the first of many password hacks. Using the list of passwords he was able to use other login accounts and thus use the computer resources for more than the 4 hours he was allocated per week!
Today, passwords are used to grant you access to everything from email to online bank accounts. Without passwords we’d have no access to a vast array of online services that we all take for granted every day.
It’s because of our reliance on such services that you must keep your password secure, but what does this mean. You must have come across situations where you have to create a new password and there are several requirements, such as upper case, lower case, length etc. But why do companies enforce this?
Let’s first take a step back and look at the history of passwords, long before they were used with computers.
The Greeks were the first known to have used codes and ciphers to protect secrets. During World War II, cipher machines were being commonly used to encrypt important messages to stop the enemy from learning about troop movements and strategies. When the Allied forces eventually broke the German encryption it was thought that this shortened the war by around 2 years!
Encryption is a way of encoding information such that, without the decryption “key”, you’re unable to read the message.
Encryption is used today to secure passwords. A common algorithm called “MD5” is used to encrypt passwords. Now, you don’t need to know the mathematics behind how this works, but, understanding how the process works will help explain why complex passwords are important.
Say you sign up for a new email service and you’re asked to choose a new password. When you enter the password, the website will use MD5 to convert it into something that looks like garbage. Take the following example:
Password : “password”
MD5 Hash : 5f4dcc3b5aa765d61d8327deb882cf99
So when the email service, stores your password, they’re actually storing the MD5 hash. With me so far?
Now if the email service is hacked, and someone steals the password list, all they’ll have is a bunch of gibberish!
This is where the complexity of the password becomes important. There’s no way for the thief to go from an MD5 hash – back to the password. However they can “guess” what the password is. Let’s say they guess that you’re using the word “password”. They can use the same algorithm to convert it into an MD5 hash and then compare it to the password they’ve stolen. If they get a match, they now know they’re right and they have your password!
But it must take them a lot of guesses to get the correct password right? Well yes, but they can use a computer to make 10,000 guesses per second – a technique called “brute force attack”. And they start with the most common words first (hint: the word “password” is top of the list!!).
So what can you do to make your password secure? Well for a start – don’t use a word which is in a dictionary as that’ll be guessed in mere seconds! Here are some tips:
- Make a password more secure by using a phrase, rather than a word.
- Use upper case and lower case
- Use numbers and symbols instead of letters
As an example, instead of using the word “password”, use “MyP4ssw0rd!”. The combination of case, phrase and symbol makes this much harder to guess.
It’s also a good idea to use different passwords for different sites. That way, if one gets hacked, and your password is guessed, it can’t then be used to gain access to other sites. There are tools out there that help store and manage your passwords. I use 1Password (www.1password.com) which I find is a great tool. I just need to remember one password and it handles the rest for me (and believe me – I have a lot of passwords!!).
There’s also a website you can use to find out if any sites which stored your password have been previously hacked:
Enter your username or email address and they’ll give you a list of sites who have you in their password list and have been hacked. If they were storing your password as plain text (not encrypted) then you should take action immediately.
Some sites are now using several levels of passwords – a technique known as “Two-Factor Authentication”. This means that you must have another way of authenticating yourself as well as a password. For example, if you have a cell phone, they’ll send you a code, which you’ll need to enter alongside your password. That way a thief would have to steal both your cell phone and password to get access to your account. This is becoming more commonplace and now you’ll understand why!
Until next time – stay safe and check your passwords!