Passwords – what are they for?
Identification and authentication – Systems need to uniquely identify each user and prevent impersonation.
Risks and solutions
Password sent in plain text
- Passwords sent over SSL are encypted.
Password stored in plain text
- Hashed version of the password stored in database. Hashing is a one-way process, it cannot be reversed to discover true password.
- Dictionary attack – uses numerous sources as dictionaries (atlases, reference manuals etc.) to match plain text passwords but also hashes dictionary values to attempt to match hashed passwords.
- Brute force attack – tries sequence of characters systematically. Very slow.
- Monitor unsuccessful login attempts and lock account after specified number.
Adding a random value (salt) to plaintext password before hashing.
Hashed password and salt stored on password server.
Random salts for each password required to make process effective.
Advisable to use salt the same size as hashed output, e.g. 256-bit hash should use 256-bit salt.
How to pick a proper password
- Make passwords hard to guess
- Go as long and as complex as you can
Consider using a password manager
- 1Password – https://agilebits.com/onepassword
- LastPass – https://lastpass.com/
- One account, one password
Password strength checker – https://www2.open.ac.uk/openlearn/password_check/index.html
- Available for your OS
- Manage passwords on multiple computers
- Synchronise across multiple computers
- Good reputation
- Chip and pin for card payment or cash withdrawals
- Bank card and card reader for online access
- Password and verification code sent via sms – e.g. Google website, Facebook