Skip to main content

Protecting online accounts starts with passwords

9/17/14

In light of a recent announcement by Hold Security, people are taking another look at their personal accounts. The Milwaukee security firm uncovered a Russian crime ring that was amassing internet credentials for more than 500 million email addresses — 1.2 billion username and password combinations.

How do hackers get a hold of passwords in the first place?

Hacking 101

Believe it or not, there aren’t that many ways to steal a password. You can…

  • Watch someone type in their password.
  • Interrogate them. (This includes looking at the Post-it under their keyboard.)
  • “Brute force” it, which entails trying a bunch of options and hoping one works — for instance starting with the names of their kids or pets and then add the number 1 after it.
  • “Sniff” packets as they fly by on the network.
  • Find a security flaw and gain access to user database.

Obviously, nobody is going to gain access to 1.2 billion usernames and passwords by watching people type in their passwords. (Just imagine the headache that you would have after doing that for eight hours a day!)

With modern-day firewalls protecting our computer systems today, brute forcing your way into systems on a large scale isn’t very likely either. You might get lucky sniffing packets here and there, but switches and routers limit your access to the data.

So how does one get access to 1.2 billion username and password combinations? By gaining access to the databases that contain large numbers of user accounts.

But even when a hacker gets access to the user credentials (usernames and passwords), he has at least one more obstacle to overcome. The passwords are almost certainly encrypted.

The way encryption typically works is every time you encrypt the word “Jim,” it is encrypted the same way. For example: *BE1EB84B7ECB82BB4BF1B8ECFFFF7255341F529D. From the hacker’s point of view, he can create a database of every three-digit password and encryption combination and then compare the two.

If a human were to do this, it would be difficult yet manageable. Program a computer to do it, and it won’t take more than a second or two, which is why everyone needs to take steps to protect themselves.

Tips for better credential security

  • Do business only with reputable companies and organizations.
  • Don’t use the same credentials on multiple systems.
  • Change credentials regularly — every 30 days preferably.
  • Never reuse passwords.
  • Use more characters in your passwords.

Why bigger is better

Let’s start with the most basic form of a password — or should I say “pass-letter”?

When we start with a single-digit pass-letter, how many variations are there? Maybe you thought 26, one for each letter of the alphabet. Well, if you differentiate between upper- and lowercase, you are up to 52 variations. Add another 20 characters or so for numbers and special characters, and you’re up to 72 options. Someone can guess your pass-letter in less than 73 guesses.

So let’s increase that password to two characters now. How many options are there? Is it 144 (72 * 2)? No, it’s actually 5,476 (72 * 72) options.

If that doesn’t sound right to you, let’s dig a little deeper. There are 72 options that start with “a” (aa, ab, ac …), 72 that start with “b” and so on. By the time you get up to six- to eight- character passwords, you are up to 139,314,069,504 to 722,204,136,308,736 variations. That’s 139.3 billion to 722.2 trillion password variations.

Now by adding just two more characters (10 in total), you’ve increased the password options to 3.7 quintillion (18 digits) variations. Better yet, use 15 characters for 7.2 octillion (28 digits) variations.

Now the hacker’s computer is getting the headache.

See our work.

Contact us.

Subscribe to our monthly newsletter

Get blog posts, sneak peeks, upcoming events and more delivered to your inbox each month.

Keep reading...

Some content requires Adobe Acrobat Reader to view.