Why Your Passwords Suck, and That’s Okay

By Josh Potts


What happened to secure passwords?

Passwords for IT services have always been thought to be secure until recently, so what happened?  First, we have to look into the history of passwords, password encryption, and password technology.  Passwords have to be stored somewhere, and usually this is in a database.  With the rise of ASP style sites, three major options are available to store passwords: plaintext, two-way encryption based on a key, or hashing.  When a system stores a password as plaintext, that means whatever you’ve set as your password is clearly readable to anyone who has access to the database.  Two-way encryption provides a way for computers to decrypt a password, so while it may look unreadable in the database, it can be retrieved.  Hashing is the most secure, meaning that once the password is hashed, there’s no way to get it back.

So, if we have hashing and passwords can’t be retrieved, how can I be hacked?  There are several reasons why, ranging from poor design on the application, all the way to our human nature.  While hashed passwords may be an option, not everyone follows this model.  This happens because the application may not have been set up to do this and then there’s no time to fix it once the web app is in production.  Secondly, humans like passwords they can remember, but sadly passwords that are easy to remember are also really easy to figure out.

How do we combat this?  Do we have to remember exponentially more complex passwords just to keep pictures of our cats out of the hands of hackers? Thankfully the answer is no.

Two Factor Authentication Saves the Day!

What is two factor authentication?  Simply put, it is authentication by two different pieces of information.  The simplest interpretation is a password and a one-time use code for logging in to a service.  Sensitive web applications such as AWS strongly suggest that you use such a practice to best secure your data.  There are a few different form factors for two factor authentication: a token generator, a smart phone app, or a USB key.  

A token generator is a small device that fits on your keychain and will generate a one-time code (usually 6 numbers) that you have to provide along with your password.  You set up a token generator by inputting the one time use codes several times, along with the serial number, into the web application so it learns what the secret is.  

The phone apps work in a similar fashion at worst.  Most are much easier to use.  Take Google’s authenticator, it allows you to pair your phone that you’ve already signed in to your account. When you log in to your account, you simply have to click “yes” on the authenticator popup that says that this is really you logging in.  The final is the USB key, which is primarily aimed for use at a desktop computer.  This requires a physical USB key (like a USB drive) to be plugged into the computer for authentication.

Clear as mud, right?  Hopefully, you’ve gained a bit of insight as to why certain sites require more complex passwords.