July 21, 2021

123456, qwerty and other password mysteries

by Karolis Paulauskas

Customer Success Manager

Have you ever had to create a password and thought – why is it so hard and why can’t I just use good old ‘123456’?
No, we’re not doing it just to bother you. Password security policies are based on real vulnerabilities. Let’s check them out!

Firstly, why does it all matter?

Services and websites store the passwords in their databases using something called hashes. Basically, it’s just some function that takes any kind of text and converts it into a string of letters and numbers that is always the same length. For example, we have a password ILikeSharks and hash it using a common hashing algorithm – SHA-256, we get bb8928ad07372d57923907b7cc66a52706a51fb54404ca77ac5733b675f5bc6f. If we just change one letter to ILikeSharkz, the result we get is completely different – 8c046aceb9abe46a955ebee834e840e985204fbc326e83bccc1049747dce4ee8. If you wanted to, you could take a whole book, feed it through the algorithm and you would again get a string of the same 64 character length. Important to know – hash algorithms are one-way only. You can’t easily take the hash string you get and convert it back to the original text. Also, the same text always generates the same hash string.

What does this mean?

It means that even if a website storing hashed passwords got breached and someone got a hold of all the passwords the website users had, they won’t be able to quickly know the original passwords. This leaves the attacker guessing what might be your password, hash it and compare it to the hash in the database. If they get a match, they know that’s the password you used. On a side note, there are exceptions to this. Some businesses don’t follow best practices and use outdated and flawed hashing algorithms or don’t use them at all and store the passwords as you enter them – in plain text. Unfortunately, if that’s the case, you, the client, can’t do much to protect yourself. That’s why we’d recommend choosing wisely to what websites you sign up for and not use the same password more than once, as if that gets into the wrong hands, an attacker would have easy access to all of your other accounts too.

Password length

As we’ve just learned, cracking a hashed password involves just trying possible passwords till you hit the right one, so it makes sense to make your password longer. Passwords nowadays should be at the very least 8 digits long – why that number? As the number of characters in a password increases, the number of possible password combinations rises exponentially. Let’s say you’re signing up to a website and the password can be made up out of numbers and lowercase English alphabet letters – that’s 26 letters and 10 numbers, so a total of 36 unique symbols. Having a 6 character password would mean there’s 36 to the power of 6 possible combinations equal to 2,176,782,336. While it might seem like a huge number, modern computers can check billions of hashes per second. Bumping up the password length to 8 brings up the total number of possible combinations to 2,821,109,907,456. An increase of just 2 symbols generates almost 1300 times more possible passwords!

Using more symbols

Adding more symbols also increases the number of password combinations. The same password length of 8, including lower and upper case letters, numbers, and symbols, would make it a total of (26+26+10+33)^8 = 6,634,204,312,890,625 different combinations. An increase from the previous iteration by another 2350 times!

Is it enough?

Using a long password with all the different symbols might just save you from a brute force attack (where all possible combinations are tried till a match is found), but it’s not enough to be secured. An attacker can resort to using something called a dictionary attack. The attack is based on the simple fact that most people don’t just use some random mash of letters and numbers for their passwords but rather incorporate specific words, names, dates, etc. A simple file containing words is used to create different word combinations, then numbers and symbols can be appended. Password cracking programs even test for common number-letter substitutions, like when the letter A is replaced with a number 4. So, for example – P4ssword1! might abide by the previous length, letter, number, and symbol requirements, but it would be cracked in just seconds as it’s pretty easy to come up with something like that.

Also, remember when we mentioned there have been many breaches already? Those breached passwords are now easily accessible, and an attacker can just check if anyone uses the same password in that breach. Sometimes, the possible passwords are already hashed, reducing the amount of work for cracking the password to just checking if that specific hash is already known – this is a so-called rainbow table attack. Nowadays, businesses limit the usability of rainbow table attacks using salts – a random string of characters appended to your password before it’s hashed. Though it’s definitely not the case on every website, you visit.

The existence of dictionary and rainbow table attacks means that a password shouldn’t contain commonly used words or dates and be as seemingly random as possible. Also, it should not be something that can already be found in previous password breaches.