We’ve all had good password practices drilled into our heads since we first started using the internet. Most online services today will require you to use an at least slightly secure password, one with a mixture of cases, letters, and numbers. After coming up with a super-secure password, it is tempting to just use that secure password for everything. However, in doing so, you are making it less secure.
Why Should You Never Reuse a Password?
Reusing a password makes every account that you use that password on much less secure. If just one of the services or businesses that is storing your login credentials suffers a data breach, there’s the potential for someone to access all the other accounts that you have registered with that email address and password combination. Now, you might be thinking to yourself, “but how will a criminal know where else I use that password?” This is a good question and an important one.
Put simply, cybercriminals use automation and bots in order to take compromised login credentials and automatically try to log in to a large number of prominent services (think Facebook, Instagram, Twitter, major banking websites, PayPal, etc.).
It’s not just data breaches that can compromise your login credentials either, there are a number of techniques that cybercriminals can use in order to crack a password. The good news is that if you are using a secure and unique password, they are very difficult to crack. However, if you don’t use a strong password, an attacker could potentially crack it with ease.
Whereas a data breach should be disclosed to the public as soon as possible, there won’t be any kind of announcement if someone cracks your password. If you find out that a service you use has suffered a breach and potentially exposed your login credentials, you have the chance to change them before they make their way on to the dark web.
The Worst-Case Scenario
What exactly are the potential ramifications of being, as they say in the industry, totally pwned (pronounced poh-nd, rhymes with stoned)? In this context, being pwned means losing complete control of your own accounts/networks. When you or your system is pwned, you are totally at the mercy of whoever has taken control.
If you are reusing the same login credentials across the right set of websites – Amazon, Facebook, and your online banking, for example – a breach of just one of these websites can mean that they are all compromised. Just from looking at that list, you can see the potential devastation that an attacker could cause. With your Amazon account, they can go on a shopping spree at your expense. With your Facebook account, they can steal personal information and send malicious messages to your contacts. And with access to your online bank account, well, you can imagine the potential for serious harm that exists there.
How Are Passwords Cracked?
In most data breaches where login credentials are leaked, they are usually in an encrypted format. If the credentials have been properly encrypted, hashed, and salted, they will be very difficult for a criminal to access – simply having the password database for a service doesn’t necessarily mean that the criminals will be able to do anything with the data.
Unfortunately, lots of websites still aren’t following best practices when it comes to encrypting their passwords and ensuring that they can’t be easily read by anyone who manages to get a hold of them. Believe it or not, we still occasionally see reports of data breaches where all the passwords have been stored in plaintext. If the passwords are in plaintext then they can be read by anybody.
When passwords are properly secured and encrypted, it is much harder for an attacker to crack. A strong password that has been properly encrypted, hashed, and salted will be very difficult for an attacker to crack. Let’s look at some of the techniques that can be used.
A dictionary is a database of possible passwords. They are called dictionaries because they have traditionally consisted of dictionary words, sometimes followed by variations and combinations thereof. Attackers may use a custom dictionary if they think they have an idea of what the password might be.
For example, if the attacker believes that the password is something related to motor racing, they could use a database of words relating to that subject. There are also dictionaries available that contain a list of the most commonly used passwords in general.
Imagine you are faced with a padlock that has three number dials on it. Without knowing anything about the correct combination to unlock it, you know that if you start at 000 and then work through 001, 002, 003… all the way up to 999, you will find the right combination. It will take some time, but you will land on the right combination eventually. This is how a brute force attack works.
With a computer password, there are more than three characters and each character can be any upper or lowercase letter, a number, or a special character. However, by following the same principle and trying every possible combination in sequence, a brute force attack will eventually find the right answer.
A rainbow table is a little like a dictionary attack except instead of a dictionary, it uses rainbow tables. Rainbow tables are huge databases (we’re talking terabytes) that contain pre-computed hashes. During a dictionary attack, these hashes need to be computed for each password tried, making a rainbow table a much faster method of attack. The drawback to rainbow tables is their massive size and the serious computing power required to run them. They can also be defeated by salting the hash for the password, which involves adding a series of random characters to the password before the hash is calculated.
The best way of managing your passwords is with a password manager. A password manager will generate and remember secure passwords for you, enabling you to use virtually uncrackable passwords across every service you use. Avoid the temptation to reuse passwords, as this will make them much less secure.