If your password protects you, who protects it?

While most people have lousy passwords, there’s another problem:  Someone can get your password and it isn’t your fault.  Worse yet, maybe it isn’t even your bank’s/stockbroker’s/email provider’s fault.  What can you do to limit the damage?

What can happen?

1. You create an account on we-don’t-care-about-your-security.com.
2. You use the same login name and password that you use everywhere.
3. They store your password in the clear.
4. They get hacked and your login name and password are stolen.
5. The thieves use your name and password to clean out your bank account.

What did you do wrong?  Only step 2 above.

What did the bank do wrong?  Nothing

What’s going on?

Websites can keep track of your password in three ways:

1. Store your password unencrypted.  No company in its right mind would do this.  This is often done, even by large companies.
2. Store your password “hashed.”  The “hash” looks like gobbledygook but if it’s stolen the thieves can usually just look up that hash to find your password.  This hash doesn’t slow the bad guy down a bit.
3. Store your password as a “salted hash.”  This is enormously better.  The bad guy can’t just look up your password, his program would have to brute force guess it.

Given that bad news, also keep in mind that, eventually, every company gets hacked.  The difference is in whether the stolen information can be used for anything.

If you use the same password everywhere (60% of people do) then your password is only as strong as the weakest website.  When someone steals your password and user id they try to use it across multiple services.  This is called credential stuffing and it’s hard for even companies with good security to detect it.

How do you prevent this problem?

1. Understand how bad things are.  You can lookup whether your information is known to have been stolen.  Thefts range from name and address to login and password.
2. Use decent passwords.  Cutesy things like swear words, women’s names, birthdays, letmein, and 123456 are trivially easy for the bad guy.  Create a decent password.
3. Use unique passwords.  Calm down, you can either use an easy to remember “personal password algorithm“that varies for each website or use a password manager.
4. Use unique logins.  Not as hard as it sounds.  See my post on email forwarding services.

Will this solve all my problems?

Well…no.  The future brings new challenges.

• We’ll need to use password managers.  This will allow really long passwords and long, arbitrary login names.  That means that, even if someone steals your login and password from one site they can’t use that to break into any of your other accounts.
• Why not just use a “personal password algorithm?”  Once enough people have started doing that the bad guys will get a little smarter and write programs to guess your algorithm from a couple of stolen examples.