Between LinkedIn, Zappos, Dreamhost, and other prominent sites recently hacked, you’ve likely been thinking about your online security lately. But what does it actually mean when one of these sites get hacked, and how can you protect yourself? Here’s how your passwords are stored on the internet, and what it means for you when a web site you used is breached.
There are a number of ways a site can store your password, and some are considerably more secure than others. Here’s a quick rundown of the most popular methods, and what they mean for the security of your data.
Method One: Plain Text Passwords
How It Works: The simplest way a site can store your password is in plain text. That means somewhere on a their server, there exists a database with your username and password in it in a human-readable form (that is, if your password is
testing123, it is stored in the database as
testing123). When you enter your credentials on the site, it checks them against the database to see if they match. This is the worst possible method, in security terms, and most reputable web sites do not store passwords in plain text. If someone hacks this database, everyone’s password is immediately compromised.
Does My Strong Password Matter? No way. No matter how long or strong your password may be, if it’s stored in plain text and the site gets hacked, your password is easily accessible to anyone, no work required. It still matters in terms of hiding your passwords from, say, your friends, or others that could easily guess it, but it won’t make any difference if the site gets hacked.
Method Two: Basic Password Encryption
How It Works: To add more protection to your password than plain text provides, most sites encrypt your password before they store it on their servers. Encryption, for those of you that don’t know, uses a special key to turn your password into a random string of text. If a hacker were to get hold of this random string of text, they wouldn’t be able to log into your account unless they also had the key, which they could then use to decrypt it.
The problem is, the key is often stored on the very same server that the passwords are, so if the servers get hacked, a hacker doesn’t have to do much work to decrypt all the passwords, which means this method is still wildly insecure.
Does My Strong Password Matter? No. Since it’s easy to decrypt the password database with a key, your strong password won’t make a difference here either. Again: this is in terms of the site getting hacked; if you have a nosy friend or family member rooting through your stuff, a strong password can help keep them from guessing it.
Method Three: Hashed Passwords
How It Works: Hashed is similar to encryption in the sense that it turns your password into a long string of letters and numbers to keep it hidden. However, unlike encryption, hashing is a one way street: If you have the hash, you can’t run the algorithm backwards to get the original password. This means a hacker would have to obtain the hashes and then try a number of different password combinations to see which ones worked.
However, there is a downside to this method. While a hacker can’t decode a hash back to the original password, they can try many different passwords until one matches the hash they have. Computers can do this very fast, and with the help of something called rainbow tables—which is essentially a list of trillions of different hashes and their matching passwords—they can just look up the hash to see if it’s already been discovered. Try typing
e38ad214943daad1d64c102faec29de4afe9da3dinto Google. You’ll quickly find that it’s the SHA-1 hash for “password1”. For more information on how rainbow tables work, check out this article by coding guru Jeff Atwood on the subject.
Does My Strong Password Matter? In this case, yes. Rainbow tables are made up of passwords that have already been tested against hashes, which means the really weak ones will be cracked very quickly. Their biggest weakness, however, isn’t complexity, but length. You’re better off using a very long password (like XKCD’s famous “correct horse battery staple”) rather than a short, complex one (like kj$fsDl#).
Method Four: Hashed Passwords with a Dash of Salt
How It Works: Salting a hash means adding a random string of characters—called a “salt”—to the beginning or end of your password before hashing it. It uses a different salt for each password, and even if the salts are stored on the same servers, it will make it very hard to find those salted hashes in the rainbow tables, since each one is long, complex, and unique. LinkedIn is famous for not using salted hashes, which brought them under a lot of scrutiny after their recent hack—had they used salts, their users would have been safer.
Does My Strong Password Matter? Certainly! Unfortunately, however, we’ve reached a point where computers are so fast that many are able to brute force even salted hashes. It can take a very long time—certainly longer than using rainbow tables—but it’s still doable. This means the strength of your password still matters, since the longer and more complex it is, the longer it will take to crack in a brute force attack.
Method Five: Slow Hashes
How It Works: Right now, most security experts are pointing to slower hashes as the best option for storing passwords. Hash functions like MD5, SHA-1, and SHA-256 are relatively fast: if you type in a password, it will return the results fairly quickly. In a brute force attack, time is the most important factor. By using a slower hash—like the bcrypt algorithm—brute force attacks take much, much longer, since each password takes more time to compute.
Does My Strong Password Matter? Again, since strong passwords are harder to brute force, a strong password can definitely help you out here. If your password is strong, it could take a very, very long time to discover with a slow hash.
How Can You Avoid Having Your Password Leaked?
So what does all this mean for you? Here is what you should take away from this information:
- Don’t use services with bad security. While you can’t control how a company stores your password, you can control what services you sign up for. You should never sign up for a service that uses plain text or encryption to store your passwords, because they’re much more vulnerable to being compromised. A good way to find out what they use, according to web service CloudFare, is to click the “lost password” link. If it sends you your password in an email, that means they can access the password itself and it isn’t hashed—and it’s likely stored using one of the less secure methods. Of course, you can always email them and ask, or check their FAQ to see if they’ve volunteered that information.
- Use a strong password: As we’ve shown you above, the stronger your password is, the less likely it is that someone will be able to crack it and use it quickly. Length is more important than complexity. Remember: any password is crackable, you just want it to take as long as possible. Which brings me to our last point:
- Always change your password after a breach: Even if your password is strong, that doesn’t mean it’s invulnerable to cracking—it just means that it’s likely to take very, very long. Those with weak passwords may have already had their account compromised by the time they realize the leak has happened, but if your password takes days to crack, you have time to change it and make your old password useless by the time they figure it out.
- Use a different password for every site: If you use a different password for every account you have, then those accounts will stay safe even if one of your online accounts gets compromised. If you were to use the same password for every site, one site’s breach can mean a whole world of trouble for you.
- Use OAuth if you’re unsure about a site’s security: We’ve talked about OAuth before, the protocol that lets you log in using your Google, Facebook, or Twitter account. If you don’t know how secure a site is, and it offers you the option of using OAuth, go for it—Google, Facebook, and Twitter are likely to have better security, and if the site is breached, you can just revoke its access to your Google, Facebook or Twitter account.
Title image remixed from Palsur.