The computer password has become a ubiquitous feature of modern life, but it may now be time to start evolving our security thinking. There are a host of developments and technological advancements that mean that a string of letters and numbers is not as effective as it once was for keeping us safe.
The first thing to note is the increasing frequency with which some of the most popular websites and largest companies are being hacked and suffering substantial data leaks. Sony and LinkedIn are huge companies that most likely spend a far larger amount of time and money then you on their computer security.
The second major factor is the increasing prevalence of joined up accounts that are linked together by one email account or password. One of my friends was recently complaining to me about how his whole apple account, right from downloading free apps to several different bits of hardware, is connected by one password. From a security point of you that is a dangerously fragile house of cards. The amount of personnel information being stored on cloud computing could also contribute to this in the feature.
This ‘daisy-chaining’ together of the various different strands of your online life means that a hacker is beat one part of this chain and they have potential access to every part of it. That one apple password that links everything together, once cracked, can be used to wipe every one of your Apple devices instantly from anywhere in the world.
So why is this so, and what possible steps can we take?
The different ways in which passwords are stored on the web
While your password strength and length are undoubtedly important factors in the security of your accounts, it is the way your password is stored and what kind of encryption is being used are equally, if not more, important. There are a number of main ways in which this is done, all of which have a bearing in how secure your personal information is.
1.) Plain text – This means that there is no encryption being used here and that your username and password are simply listed as they are on the company server. Unsurprisingly this does not protect you at all if a website is hacked.
2.) Basic encryption – Most websites will perform some sort of encryption process on your password so that it is unusable to anyone unless they also possess the decryption key. However, if the site is hacked and that key is found, your password strength and length again become completely obsolete.
3.) Hashed passwords – Hashing a password means that, like encryption, your password is changed into a long string of letters and numbers. Unlike encryption however, the process of hashing cannot be reversed. This means that a hacker can only obtain the hashes and will still have to try a few different combinations to crack your password. While it is still definitely hackable by someone with talent and time, the length of your password will come into play, with longer definitely equalling better.
4.) Hashing variations – with salt and slowly – There are a few variations of the hashing process which are pointed out as being the best bet against hackers. Hashing with salt means that another random string of characters (the salt) is added to the already hashed password. The speed of modern computing mean that it can still be hacked with time. This is where slow hashing comes in, which acts to dramatically slow down the hashing process, meaning that if your password is strong it will take a very, very long time to get.
Steps you can take to counter password insecurity
There are a number of things that you can do to reduce the chance of getting hacked and to try and counteract the potential hackability of your password.
- Try and clean up your online presence and disconnect as many of your various accounts as possible from each other. Take note of directory sites such as White Pages and contact them about opting out
- Give false and absurd answers to your security questions. An example would be that your mother’s maiden name is ‘pineapple’
- Try and use a strong and different password for each site
- Try and do a little research into the security histories of sites before signing up or log in using OAuth or something similar of possible
- Use a unique email address for nothing but password recoveries
So while passwords are still a valid security tool in many ways, it is important for people to understand that they are beginning to creak and become weaker. You should try and understand your password as one part of a wider security architecture made up of companies, servers, those doing the server hosting, etc, etc, and take as many steps to protect yourself as you can.
Does anyone else have any tips or advice regarding passwords and computer security? Do share with us.
Author Bio:- James Duvalis a freelance IT expert who writes blogs for companies such as ConnetU on subjects related to server hosting, security, and the intersections between the two.