When you enter a gym's locker room, there are hundreds of lockers. Each has its own combination lock. Without giving it too much thought, you open your locker using the combination only you know, which is the same combination you provided when you signed up at the gym.
Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, they identify themselves with their username and prove that identity with the password.
The service checks the password. If it matches, the user is allowed to access the service.
We can think of the service as the locker, the username as the locker's number and the password as the lock's combination.
Problems occur, of course, if someone else has your combination. It could be that you use a very popular combination, or someone saw you using the same combination on your bag.
Alternatively, it could be that someone broke into the gym and saw the list of locks and combinations. Let's take a look at these aspects in the virtual world.
How hackers break your passwords
On the internet, some passwords are more common than others. Hackers use lists of the most common passwords to increase their chance of guessing a user's password quickly. The hacker tools used to guess these passwords are called crackers. Two types of crackers exist - online and offline:
- Online crackers use trial and error to break into a service, testing different passwords until the right one is found. The speed at which they can test passwords is limited by the speed at which the service accepts and handles requests. In many cases, online crackers can only try a few passwords because most services lock accounts after a certain number of incorrect passwords have been entered.
- Offline crackers are used when passwords are stolen from an online service, but are stored in a digested format. This means the service stores a mathematical transformation of the password rather than the password itself – it's an extra security precaution. An offline cracker repeatedly chooses different passwords, transforms them to their digested format and compares them to the list. Offline crackers can run incredibly fast, depending on the power of the computer running the cracker.
To reduce the effectiveness of offline crackers, many services add a step to the process called salting. Using a salt, a different digest is created each time, even if the password is the same. So although salted passwords are not completely hack-proof, they're much harder to guess.
How to secure passwords in your business
So, that's how passwords get cracked. Now, how do you stop that happening to your business?
On an individual level, always use strong passwords – and don't use the same password on different websites. Think about what information the password is protecting. You want a really strong one for your online banking, PayPal and other online services you consider sensitive.
Use a really strong password for your email too, as getting access here can allow a hacker to wreak havoc by resetting your passwords on lots of other sites.
In your business, it's important to realise that you can't trust your users to choose strong passwords themselves. If you give them the choice, they'll simply choose weak passwords. In fact, two years ago a database containing 32 million passwords was leaked to the web. Analysis of these passwords showed that 20% of users chose the same passwords from a pool of 5,000 words.
It's up to you – or your IT administrator - to keep the passwords secure. Here's how
- Enforce strong password policies. Force passwords to have a minimum length, ban common passwords and require a mix of characters (digits, letters, uppercase, lowercase, etc).
- Make sure passwords are not transmitted in the clear. Passwords are vulnerable to interception if they're transmitted across networks or the internet. Always use encryption, or use a technique that ensures the password itself never travels through the network.
- Don't store passwords in plain text. Doing so means that if a hacker breaks into your systems, they can just grab and make off with your passwords. Salt and digest a password before storing to the database.
- Detect and block brute force attacks. Put obstacles in the way to stop online crackers trying lots of different passwords for user accounts. Use CAPTCHAs and restrict the number of times people can retry their passwords.
- Force people to change passwords regularly. Many businesses require users to change passwords every couple of months, or when they suspect an account has been compromised.
- Allow and encourage passphrases instead of passwords. That means using sentences instead of passwords. Although that may be longer, they're easier to remember. And because they're longer, they're more difficult to break.
Implementing many of these precautions will require help from your IT staff or IT supplier. But if you're going to maintain the security of your systems and website, it's vital you think carefully about enforcing a strong password policy.
Noa Bar-Yosef is Senior Security Strategist at Imperva.