If you haven’t heard, there was yet another data breach that contained the largest – to date – dump of usernames and passwords. This isn’t saying that it’s all-new data, but it’s definitely a LOT of data compiled all together into one big batch. Let’s dig into this further.
What is the deal
When a website has a username and password, they have a few different ways they can store that information. In order, from worst to best (not all-encompassing):
- Plain Text – it’s the same as what you’re reading now… if you type “password” in, anyone can read it that has access to the database.
- MD5 Hash – this was an early form for storing passwords. Once upon a time, this was the fastest and easiest way to store a “secure” passphrase. In 2005 it was determined to be flawed, but it was too late – many systems used it and many tutorials had been written around it. The same “password” in MD5 is stored as the following: “5f4dcc3b5aa765d61d8327deb882cf99”
- MD5 Hash + Salt – this is usually taking two bits of data and storing them together in a string delimited by something. It’s harder to crack but if your salt is exposed then it’s all free reign to get your password still.
- SHA1 – this is the lowest “available” encryption that anyone should still be using (though as noted, it’s not) and it’s not for passwords. There have been theoretical vulnerabilities in this encryption since 2005.
- SHA256 – this used to be the next reliable way of storing passwords (after MD5) however it’s not considered a “safe” way to store passwords. This is due to the way that lookup tables can be generated (essentially at some point someone has made that string).
- bcrypt / platform-specific hash – this is the primary method for storing passwords. The goal is to make it a one-way communication, there’s no way that you can convert it back after it’s been encrypted.
Now, if I have your email address and “bad” encryption such as MD5, all I need to do is grab the MD5 equivalent to that word and suddenly I know your password for that account. Further, I know what site it came from because that’s posted in the database dump as well. Now, I jump to who runs your email and see if that password works. If it doesn’t, then it’s time to search for your information among the massive troves of information I already have access to. Find another password, test it, and move on once more. Eventually, I’ll have a bit of a habit of how your passwords are created (unless you take steps from the next section) and can then “guess” what passwords might be options. Ha, I could even program a computer to look for similar words (it’s already available).
Ok, I’m scared, how do I stay safe?
So there are a few steps you can take to keep safe, depending on how much hassle you want to go through:
- Use a password manager (that is reputable)
- Use a built-in password manager (browser, chrome, safari, firefox, edge)
- Use a variation on the same password based on specific themes (typically this would be a sentence or multiple words put together with spaces and punctuation and numbers)
- Use an address book or day planner to write down all of your passwords (it works!)
If you’re comfortable with technology, password managers are the way to go. I use Lastpass and I’ve tried a variety of solutions (even used KeePass for a while). Ultimately, I’ve settled on Lastpass because I’m familiar with it, I trust it, and I’ve got it locked down to hell and back. For instance, my password manager will not allow logins from outside of the US. It has a password that is over 30 characters long using simple to understand but complex punctuation. It is protected by 2-factor authentication. On top of all of that, I am emailed EVERY time an incorrect password is entered in for my master password. It also announces that someone’s been blocked for trying too many incorrect passwords. I can remotely terminate any session from within Lastpass and it’s immediately booted and unable to access any resources.
These would be the things to look for in a password manager. I am not currently providing affiliate links, but those are my recommendations.
Finally, I’d like to leave you with one of my favorite password comics:
What are your thoughts?