Whatever the specific reason might be, whenever convenience and security do battle, convenience has a tendency to win. And so most people — even most technically inclined people — have at most a small handful of passwords that they use across different accounts. And so, when huge sites like LinkedIn or Adobe are compromised and hundreds of millions of password hashes get leaked, your accounts on other sites have a pretty good chance of being vulnerable to attack too. This is such an accepted fact that there are entire web sites devoted to telling you whether your username was involved in a data breach, under the tacit (and probably correct) assumption that you're using the same password everywhere.
I'm going to tell you about a technique you can use to make it more difficult for your accounts to get hacked, without having to remember unique usernames or passwords for every site. The only extra thing you have to remember is that you're using this technique. I call it self-salting, for reasons which I'll explain later on, but for now here's how it works:
Step 1: pick a password to use for all your accounts. You probably already did this, hence the problem. Hopefully, you actually have a couple different passwords you use: one for your bank and sensitive financial stuff, one for the Gmail account that you use as the recovery email for everything, and a "general-purpose" one you use for all the random web sites demanding that you sign in. If so, start with that last one.
Step 2: when you create a new account, look at the address bar at the top of your browser window. Take the top-level domain name (usually the part that comes right before the ".com") and append a plus sign and the first three letters of that domain name to your password.
Step 3: every time you log into that account in the future, look at the address bar again and do the same thing to remember what password you used.
So for example, let's say the password I use everywhere is Ilikepie.Mm,pie. (That's actually a pretty decent password, by the way.) I'm creating an account at, oh I don't know, www.pokemon.com. So when I'm asked to enter a password, I type Ilikepie.Mm,pie.+pok. And that's it.
Why this works
On the face of it, this doesn't seem like a big improvement. We only added four characters, and since I just told you how to generate those characters, if a lot of people started doing this then attackers could just start adding those same characters to the password they're trying too. But this actually does help for a very specific reason: most servers aren't actually storing your password directly. Instead, they store what's called a hash of your password, which is a string created by running your password through a mathematical function that is easy to calculate but very hard to reverse. One of the most common hashing algorithms right now is SHA, the Secure Hashing Algorithm. The SHA-256 hash of the password "password" is 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8. (Go ahead and look at the Google search results for that query -- they're interesting.)
When a site is compromised and passwords are stolen, usually all the attacker gets is a list of these hashes. So in theory, it shouldn't be possible for anyone to figure out what your actual password is just from the hash. But here's the trick: if you're using a very common password (like "password"), the attacker can just go run every one of those frequently used passwords through the SHA algorithm and see whether the result matches your hash. And, indeed, this is exactly what they do, which is why using a weak (and therefore common) password is such a terrible idea.
You would think, then, that as long as you're using a relatively unique password (like "Ilikepie.Mm,pie."), you'd be safe from this kind of attack. And that's almost true. The trouble is that the attacker might not actually need to know the original password in order to break into another account. All they need to do is either convince the other site to accept a hash directly instead of a password (which is unfortunately easy in many cases), or find another string that happens to have the same SHA hash (which is difficult, but definitely possible) and use that as the password instead.
In order to fight back against that kind of attack, conscientious software developers use a trick: before they generate a hash for your password, they add some random characters to it. The characters can be the same for everyone's password, and they're not even a secret: they're just unique. So if my password is "Ilikepie.Mm,pie.", the server might generate a hash for "Ilikepie.Mm,pie.f9cskjf3a" instead, and then add "f9cskjf3a" to the end of every password whenever someone logs in before checking it. Because any decent hashing algorithm will thoroughly "stir" all of the original data about the characters throughout the hash string, adding characters to the end will completely change the hash, making it impossible for someone to use it on a different site that appends a different string.
This process is called salting, and you've probably already realized that it's exactly what we're doing with our password up front. That's also why it doesn't matter that we always add the first three letters of the top-level domain: the salt isn't a secret, it just needs to be different for each site to prevent people from using the hash strings elsewhere. If (when) the password hash gets stolen, it is guaranteed to be more or less unique even if the server that got hacked didn't salt the hash themselves (which many don't, sadly).
This technique won't help you as much if your actual password gets stolen, but it's actually of some use even then: if the site is large enough, the attacker probably doesn't have time to go look at each individual password to see if you added stuff onto the end of it. Instead, they're going to write a script that will automatically try every password, verbatim, on some other site and then record which ones worked. So if someone is targeting you personally and gets ahold of your password, you're probably toast. But if you just get caught up in a large privacy breach with a hundred million of your closest friends, the fact that your password on each site is technically unique might still save you.
No comments:
Post a Comment