Beginners guide to password security

in #security7 years ago (edited)

Hey guys,

I assume you are using a "strong" password securing your crypto wallets and steemit account. But what does "strong" actually mean?

Let me give you some details on that topic but keep in mind, that the following topics are on a very simple level and are not 100% accurate, but the general principles should be understandable by beginners. If some security experts feel, that this is all bullshit, feel free to leave a comment.

The security of a perfect encryption should only depend on the password and not the knowledge of the underlying
algorithm. If we talk about security of encryption, we usually talk about the time it would take, to break that encryption without knowing the password.

So let's for now assume, an attacker would need to try all possible passwords, to finally find the correct password. How long would that take?

In order to answer that question, we need to understand, how many passwords are actually possible. That of course depends on the maximum length of a password. And that length depends on the encryption algorithm being used.

Passwords are usually made of characters, which you can type with your keyboard. Fancy users might store passwords on a USB stick and those passwords might even contain characters which you usually don't find on your keyboard. But let's still assume, that most of you will use passwords, which are made out of letters, numbers and maybe some special characters like "!, %, $" etc.

An attacker doesn't know you password, but he knows, that a lot users are lazy and use passwords, which only contain characters. So he will first try all possible passwords which are only made of letters.

The attacker also knows the encryption algorithm being used and thus knows the maximum password length. Let's assume it's 16. But he will most likely assume, that you are not using such a long passwords, but maybe a maximum of 10 letters.

So he will try "a", "aa", "aaa" ... "aaaaaaaaaa" and he will continue with "ab", "abb" ..."abbbbbbbbb".

And he will continue with all lowercase letters from a-z.

That sounds like a long task, but actually a computer can do that really fast.

Let's assume your password is "zzzzzzzzzz", so it's the last password, the attacker will try. How many different passwords did he try?

It's around 140737488355328 passwords. That sounds like a lot, but actually todays computers are very fast and breaking the above password should not take more than 1 hour. And keep in mind, this is the worst case scenario, where the attacker needed to test ALL possible combinations. On average he needs only to try half of them.

Actually your password can be encoded using only 47 bits. If you read about an encryption algorithm, which supports 128 bit encryption, you are actually only using 47 bits with the above password!

By adding uppercase letters, numbers and some special character, you can greatly increase the number of possible combinations and that will dramatically increase the time needed to try all of them.

But we are not yet ready for a strong password. Attackers will actually not try all possible passwords, like in the above example. They know, that a lot people are using meaningful passwords and if they know where you are living, the can limit the possible passwords to words of your language. That's called a dictionary attack.

The number of meaningful words with a maximum length of 10 characters in your language will be MUCH lesser than 140737488355328 and an attacker will be able to break such a password in a fraction of 1 hour.

That's why you should

  • Use a password with a length of minimum 12
  • Use uppercase, lowercase letters , numbers and special characters
  • Use a random, non-meaningful password, a good example would be "jU3yQp!amVc%"
  • Don't use the same password for multiple different logins. If one website was hacked, depending on how they store the passwords, an attacker might be able to extract the password and will try to login with that password on other websites.

You now might say: How should I remember such a password, especially if I should create such random passwords for every single website I have a login for?

Now there is a lot discussion about password managers. They make life much easier but they also have the disadvantage that if somebody hacks your computer or you got infected with a virus or Trojan horse, the hacker will have access to all your passwords.

Some people recommend another approach:

You categorise the services you use in 3 categories, depending on the impact it would have for you, if they would get hacked:

Level 1: Websites and services which are not that important for your security, where you don't have sensitive or private date stored and where the impact of a hack would be low.

Level 2: Websites and services which are medium sensitive. Where you have some private information stored.

Level 3: Websites and services which are highly sensitive, like banking, crypto wallets etc.

Now you generate 3 different random passwords for each level and you need to remember those passwords. If it's to hard for you, you might try to adopt a meaningful password and replace some letters in a way you can remember, like "blockchain" would become "bl0ckcha!n". (This is just an example, you should of course use a word, which is not that easy to guess).

Next step is, to modify these passwords for every website you use, so you really end up in a unique password, which you can still remember.

Let's say, you use the above sample password "bl0ckcha!n" as a Level 3 base password and you want to use it, to secure your steemit account. You could add now a prefix or suffix to that password like "st33m!tbl0ckcha!n" (steemitblockchain). The suffix can be the name of the website or service you use.

For Paypal, which you consider also Level 3, you would end up in "4m4z0nbl0ckcha!n" (amazonblockchain)

With that rule, it should be possible for you to generate unique and secure passwords, which you can still remember and don't need to store in a password manager.

You can generate your own "rules", you could split the website name into a prefix and suffix like "amablockchainzon" => "4m4bl0ckcha!nz0n", you can have a rule, where you always replace a specific letter with something else, a with @, d with $ etc.

In the beginning I would recommend to use a password manager until you got used to your rules and you feel, that you don't need your password manager anymore.

Stay safe, stay private, stay secure!

Sort:  

And don't use the same password everywhere! :)

same_password_everywhere.jpg

Passwort123!

Congratulations @uberdruck! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

Click here to view your Board

Support SteemitBoard's project! Vote for its witness and get one more award!

Congratulations @uberdruck! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!