4 Jul 2017

Passwords are terrible at securing your data!

Secure your passwords from Laser Red

There, I said it. It’s an opinion I’ve had for many years, and yes, it’s just an opinion. However, before you disappear, please allow me to talk you through why you should never use passwords that you can remember. It’s important that you listen to this.

Whenever you sign up to a website, you happily give them your password. The website then takes your password and stores it in a database. That way, when you come along and login, it can compare what you type in the password field to what is stored in the database.

Hopefully, they’ll both match up and bingo, you’re logged in. It is (in the case of well-built websites anyway) a little more complicated than this, but you get the gist.

Logging into websites on your phone

Now let’s imagine for a moment that I’m a nefarious character who likes to hack into web servers. I hack the server of your favourite website where you view hundreds of pictures of cats. This lets me download a copy of their database containing every user and password that has ever registered for the site.

Hopefully, it’s a poorly built website and all of the passwords would be stored unencrypted and I would quite simply be able to log into anyone’s account.

“That’s not so bad”, you might say, “it’s only a website for looking at pictures of cats”.

Pictures of Cats

But then you realise you used the same password on your email account, your online banking and your Facebook. Suddenly I have your entire identity. I have access to your bank account and your emails. What’s worse, I can now profess your undying love for Justin Bieber, on your own Facebook.

Now, if the website was “built properly” passwords will be stored in the database, encrypted. This means that when I hack the server and download the database, I can’t get the passwords straight away. But that doesn’t stop me trying to decrypt the passwords.

There are many ways to do this. First I’d try using a dictionary of common passwords to compare to. Secondly, I’d attempt to “brute force” guess the password by trying every combination of letters and numbers until I get a match.

Modern servers could try billions of combinations a minute – if your password is short or uses a dictionary word, it won’t take me long to crack it.

With the introduction of GDPR in May 2018, everything to do with data protection and security and your website becomes vital. If your website gets hacked and you don’t announce it, you could face severe penalties. We’ve put together a handy post to check if your website is legal.

Secure your passwords with Laser Red

How can you stop me from professing your love for Justin Bieber?

There are a few ways to make this difficult for me:

  1. Never, ever, EVER re-use passwords. Every password for every account must be different. Reusing passwords is like having the same key for your car, house, work and bank account.
  2. Never use dictionary words in your passwords (or if you do, use 3 or 4 unrelated ones. The longer your password is, the better)
  3. Use a password manager. I don’t actually know any of my passwords, they’re all randomly generated and I store them securely using a device that requires me to physically be there to access them. One that we highly recommend is LastPass.
  4. Use 2-factor authentication wherever it is available. (This is a system which employs a secondary method to check it is actually you trying to login, like an SMS being sent to your phone).

Until the adoption of hardware-based authentication, such as the YubiKey become mainstream, passwords aren’t going anywhere. Support for YubiKey may not be the best at present, but their product still does the job. So please do your bit to help keep your data safe, make your passwords strong and unique!

For any further information on this article, or guidance on how to create secure passwords, get in touch today.

The authors

Joe - Senior Web Developer | Laser Red
Joe Archer
Senior Developer