What do you need to know about password?


It’s now 2017; According to Moore’s Law our transistor count Vs dye size graph has hit its highest numbers. We’ve got 22-core Xeon E5-2699V4 in the enterprise side and the beast in the game 10-core 6950X for enthusiasts. Again we have the GPUs are developing at a much higher rate. Nvidia released the new Quadro P6000, the most powerful (enterprise) card in the market. It has 3840 CUDA cores (more on that later), 24 GB GDDR5X VRAM, which translates in effectively 24 TFLOPS (Tera Flops) of raw computing performance*. These advancements in processing units are pushing development much faster. It’s a really good time to be alive. But, on the other side of the spectrum, availability of these extremely powerful cards is making us vulnerable.

First let me inform about the most used process of storing passwords by websites. When you are putting your password to a website while creating an account, the website hashes your password using some algorithms. As a result most of the websites don’t even know what your password is, unless they are storing the password in plain text, which is very risky. The most widely implemented hash functions are MD5 (128-bit) and SHA1 (160-bit). These were really strong and effective way of storing passwords in the past, but not now days. If your password is just a string of small-letter character, it’ll take less than a second to crack your password using a simple brute force attack. Let’s simplify what I just mentioned. Suppose your password is a 12 small-letter character. So, when someone brute forces your password, they’ll just check every possible 12 small-letter characters. They’ll have to process 12^26 bits (1.1447546×10^28 bit) of data. This might seem a lot to you, but for modern GPUs, it’s a small piece of cake, they’ll need as small as a fraction of a second to process this much data. So, if your password has capital letters, numbers and special characters (like !, @, #, $, %, ^, &, * or something else) then your password will be much harder to brute force. But there are a lot more ways to crack them too. So, the users need to create passwords in such a way that it’s tough to crack them through brute force attack. And we should avoid using passwords like password1, 12345678, etc. Because of these are the most common and widely used passwords and there are password libraries which contains millions of hacked passwords, passwords which people used in real life. Please, never ever use the same password in multiple websites. Huge companies like LinkedIn, Yahoo are frequently getting hacked and the passwords are leaked in the internet. If all your passwords are same, then someone might use your hacked password to login to may be your Amazon account and use your credit card or do many dangerous things like using your account for causing harm to someone. Well if the developer of the website is intelligent enough, he’ll use some better hashing function such as SHA512 with salting. Salting is basically adding an extra random string of character which is different for every user to the hashed password. So even if the hashed passwords are compromised, the hacker won’t be able to crack the passwords, because the salts will make the hashing algorithm unpredictable.

Well, the summary to this long post is change every password you ever created, because I’m sure your passwords are weak. Mix small-capital letters, add numbers and special characters. Don’t use your name or any common words. And always use different passwords for different accounts. If you can’t remember those passwords then use password managing services like LastPass, True Key, Enpass, KeePassX, Dashlane, Padlock, Passbolt, etc they are free. And always use 2-step authentication or maybe even 3rd step authentication. These multiple steps of authentication might be a hastle to deal with, but these will literally make your account 99.99% can’t be hacked.

I know someone might come up with the idea of biometric authentication. I’ll discuss that in the next part. Yes, there is a next part. Stay tuned for the next part if you are interested, I guess.

Sakib Sadman Shajib is a student of Notre Dame College, Dhaka. He can be reached at contact@sakibsadmanshajib.com

Share your Idea or article by mailing at editorial@alsew.org with your name, institution and Photo.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *