The good, the bad, and the really bad.
You would think. And they should. That’s what makes it so frustrating when these attacks are successful.
The problem is that security is sometimes an afterthought. In fact, it’s often not thought of in any deep sense until after a successful attack.
The good news is that there’s something simple you can do about it.
Password storage security
Websites can store passwords in good, poor, or horrible ways. The safest use salted hashes, which add secret info before hashing so stolen databases are harder to crack. Sadly, some sites still store passwords in plain text or weak hashes. Protect yourself: always use a unique password for every site.
A horrible approach
I include it for completeness only, but a very, very bad method websites can use to keep track of your password is to store your actual password.
For example, if your password is:
password
then somewhere in the account database, in a password field, is:
password
Anyone who steals that database can just look inside and find your password.
This is extremely poor security. Sadly, it happens occasionally.
Help keep it going by becoming a Patron.
A better but still poor approach
Websites should not keep a record of your actual password. Put more bluntly, with the most basic security, the website does not actually know your password.
Instead, when you first set (or change) your password, they “hash” the string of characters you provide as your password and store that hash instead. A hash is a one-way complex mathematical conversion of the characters you type in to a number. Hashing a password generates a number unique to what you typed in. Even if a hacker accesses that number, they cannot figure out what was typed.
When you log in, the system hashes the password you type in and compares it with the hash that was stored when you set your password. If the hashes match, you must have typed in the same password both times, and the system gives you access to your account.
There are several standard hashing functions. For example, if we hash the password:
password
using the “sha256” hash, the result is:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
And that’s exactly what a “poor” website might do: store nothing more than a standard hash.
The problem is that anyone who hashes “password” using sha256 will get exactly the same result. There are several approaches that allow hackers to discover which hash algorithm was used. While they cannot calculate the password from the hash directly, they can try hashing long lists of common or discovered1 passwords. If they find a matching hash in a breached database, they then know the password used to create the hash for that account.
Not good.
The “good” approach adds salt
Let’s say you specify a password.
password
When using good security, the website modifies it slightly before hashing it. It changes it in a way unique to the website via a “secret” method. It could be as simple as adding a string to your password.
password-website-added-string
Now when that modified password is hashed using a standard hash algorithm, the result is quite different.
ecd4615720cd24c455cbf627243737c94cd1539f4c8903d664a36ef4992fbce8
Each time you enter your password, the website adds this unique information — called “salt” — to what you entered before it calculates the hash. As long as no one knows the salting string (or, more commonly, the salting algorithm, which is more complex than just adding a simple string), there’s no way to reverse-engineer a stolen database of password hashes.2
This is password storage done properly.
When to be concerned
Whenever there’s a report of a user-account database breach, I look for information about what that database contains. I look for one of three phrases.
- Unencrypted passwords. This is horrible security because it represents no security. Hackers don’t have to work at all; the passwords are theirs for the taking. Change your password immediately.
- Unsalted password hashes. This is the “poor” scenario above: the website designers made an attempt at security, but a poor one. Passwords are likely to be compromised in short order. Change your password as soon as you can.
- Salted password hashes. This is the “good” scenario above. When I hear this phrase or its equivalent, I worry much less. I’ll probably change my password, as salting can still be implemented poorly, but I won’t lose sleep if I can’t get to it right away. Hackers aren’t going to get in easily, if at all.
Do this
Here’s the real problem: when it comes to security, there are good websites, bad websites, and horrible websites. You have no way of knowing which is which — at least not until after a compromise. There’s no one to ask.
There’s only one practical approach: assume they’re all horrible. Assume your password may someday be compromised.
That’s simply another reason to adhere to the most basic rule of password security:
Always use a different password on every site.
That way, if one site gets compromised, your other accounts are not at additional risk. In other words, keep doing what I hope you’re already doing.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: This is why not reusing passwords is so important.
2: This is an oversimplification. A properly secure password storage mechanism would use a different hashing function for a variety of reasons, as well as a unique, random number as a salt. I found a good, more detailed rundown at Salted Password Hashing – Doing it Right.
Leo, how about doing a piece about the security of password managers, both cloud-based and those that reside on your PC?
Leo has already written such an article:
https://askleo.com/are_password_managers_safe/
You use the phrase “reverse engineer” regarding hash codes. That may make people think that the hackers can read the hash code and work their way backwards from it to get the initial password or phrase.
My understanding is that the hash is a one way process and what they do is create a dictionary of common passwords (and all short ones) that they run through the hash process to see which one gives the matching hash code. With a salted hash, they will not find any matches unless they happen to also match the salt.
Any site that can tell you what your “forgotten” password is should be avoided. That means that they store the actual password somewhere that can be hacked instead of only saving the hash of your password.
Leo.. Thanks for all your messages answering the questions of your readers. On today’s subject, I would like to ask about my creating passwords that are really complex. How would I keep up with these new passwords – salted or not – ? They would be long and not easy to remember by myself. Where would a keep these long and complicated passwords. Thanks for your comments.
Use a password manager such as Keepass or LastPass. The first is a software program that you install on your PC. It stores your passcodes in an encrypted file locked with AES encryption, the gold standard of the industry. The latter is a browser extension that you add to your browser. It stores your passwords safely in the cloud, also encrypted with AES. I use both and find them both easy to use. I have hundreds of usernames and passwords for many different websites, encrypted volumes and so forth. All are very complex passcodes with 20 or more different character combinations. Nothing is truly bulletproof, of course, but I always follow best practices.
Not quite sure I understand your question. This whole concept of salting and such happens behind the scenes. You just create long, strong passwords, use different ones everywhere, consider using a password vault like Lastpass, and you’re good.
As Leo said, the salting happens behind the scenes. Ie. by the program that encrypts them. To keep your passwords protected by a salted hash, use a password manager, such as LastPass, which uses a salted hash to encrypt your passwords.
Leo: I would assume the best of all practices is to install LastPass and let LastPass generate very strong passwords (20 characters or more) for each and every website that I use. That way even I would not know what the passwords were unless I were to download the CSV file into Excel as a backup. Is it better that I don’t know what the passwords are?
That’s exactly what I do. (Right down to the 20 🙂 ).
You don’t need to know what the passwords are but it’s important to have a backup of your passwords, as you mentioned, in a .csv file. You can then encrypt the .csv file, for example, using 7-zip or AxeCrypt.
https://askleo.com/how-do-i-back-up-lastpass/
Leo,
Have you noticed that password managers are not working as well as they use to? What I mean is at some sites they will fill in the info, and others they don’t. I end up running 2 different PW managers at the same time hoping one will work. I believe this may be caused by web sites not catching up to the new web browsers. Same issue with the browsers. Normally run Fire Fox, then MS edge and one may work correctly. example, FF opens a page but doesn’t display the words, MS edge you click on a link, but nothing happens. Check out carts are always a crap soot. So I resort to using IE11. That browser just seems to work.
Leo, you wrote:
I am shocked, astounded dismayed, and ashamed, Leo, that you would give such idiotic advice!
Folks, if you find evidence that a site is storing your password (or passphrase) unencrypted, DELETE YOUR ACCOUNT THERE AND DUMP THAT SITE AT ONCE — and DON’T use that same password/phrase anywhere else, EVER!
But, ABOVE all, do NOT, as Leo here so mindlessly recommends, simply change you passphrase — the “new” one will be every bit as UNencrypted and vulnerable as the old one was!!! Yeesh!!!
–Glenn P.
This is the full text of what Leo said about unencrypted passwords:
All he’s saying here is that if there has been a breach, the hackers have your password and you should change it.
Of course, it’s best to switch to a website which uses a salted hash of your password but this isn’t always possible. And for that reason, the worst thing you can do is use the same email address password combination on more than one website.