We keep hearing the terms strong password vs week password. Some websites let you get away with the term “password” as a password, while others want you to include every character combination possible. And could that still not be enough to secure your password? In this article, we will briefly look at how passwords are stored, what makes a weak vs a strong password and how even even the strongest password may not be secure.
If you are a visual learner, please check out my video on YouTube where I cover everything in this article and also show how easy it is to crack even seemingly secure passwords.
How are passwords stored?
Before we look at how passwords are stored, we need to briefly understand what an “encryption” is. In simple terms, encryption is the process of converting information into code using what is called a “hashing algorithm” to prevent unauthorized access. It can be something as simple as shifting each character of text by one alphabet. For example: each alphabet in the word bird can be shifted by 1 alphabet turning it into cjse, which is now an encrypted version of the original word. So unless you know what the encryption was (in this case, shifting by one character), you won’t know what it means. And likewise, if you know what the encryption algorithm was, you can easily figure out what the original word was by simply shifting each character back by one. This is obviously a very bad example of encryption obviously just for simplification purpose. But there are many different encryption algorithms out there, some are very good, others not so much. As time passes and hardware gets more modern, people figure out easier ways to decrypt things, so to stay secure, websites and apps continually need to update the encryption technologies or they will find themselves in a compromised state. More on this a bit later.
So how are passwords stored then? At a very basic level, you go to a website or an app, create a new username and a password combination. This information is then sent over to the authenticating app or website, which will then encrypt your password and store it in the database. What encryption algorithm they use is not known publicly. So a password that was “not_today” may look like this when it is encrypted and stored: 88689124a389810a9116c5fb7d3bf528. This way, unless you know what encryption algorithm was being used, it would be impossible for you to know what the actual password is.
How do passwords get compromised?
Okay, so you create a very strong password, say something like V@l@rM0r6UL1$, which then gets encrypted to something like this 4e88206f2905a4502c5315517a4b89d2, and you should be good, right? Well, not really. Remember I mentioned that there are multiple encryption or “hashing” algorithms? Okay, so this one I just showed you is called the MD5 hash. It used to be a strong one long long time ago, but at this day and age, no one should be using this because it can be cracked very easily. Sure, places like Amazon or Facebook won’t use something silly like this. But that random car forum you visit, that is run by a car enthusiast on his basement without any knowledge of security could be using MD5 hashing. Or worse, storing your passwords in plain text!
I hope you see where I am going. Sure, your password can be the strongest one, but that is just half the battle. The app or website that you are using is equally responsible for keeping things secure. Consider this situation: you create a strong password (the same one we talked about earlier), and you use it in Facebook and Amazon. Those websites like I mentioned will use something secure, but you now use the same password in your basement guy’s car forum. That website used a poor encryption algorithm. It gets hacked, and now every username and password combination in that website is leaked. Based on how poor the website’s security was, hackers try to decrypt the password with known encryption algorithms, and MD5 is the first try. And walla! You username and password is now available in plain text. It was a very strong one, but didn’t really matter, did it? The hacker now tried your your credentials in Facebook and Amazon and in no time, your Facebook is hacked, you have a 1000 dollars worth of stuff bought on your Amazon and shipped to some random location in the other side of the globe.
Are we doomed either way then?
Well, if we solely rely on our passwords being strong, it could potentially get compromised like I just showed you. However, there are some strategies you can use to make this much more unlikely. I will save those strategies for the next article.
The only truly strong password is one that is long and as random as possible. If is has meaning to you, it has meaning to someone else. And that makes is much easier to crack.