Jan Espen's Blog

In the ever-evolving landscape of cybersecurity, the age-old battle between hackers and defender’s rages on. At the forefront of this battleground lies the humble password, a digital key that grants access to our most personal and sensitive information. In 2023, the need for a robust password has never been more critical.
In this blog post, I’ll try to explain why long and strong passwords are a good idea.

First some basics.

Your login credentials are stored on a website. This is needed so that the website can recognize you when you login. At minimum the site likely has your email address and your password.

In the early days of the internet, security practices were far from what we know today. Your password, for instance, was often stored in plain text on a website’s servers. While this allowed for straightforward authentication, it also posed a significant security risk. If hackers gained access to the server, they could easily retrieve and misuse your password, potentially leading to data breaches and identity theft.

Salting and Hashing

Instead of relying on simple encryption methods, innovative minds developed a more secure approach that made decryption virtually impossible. Sounds amazing right?

Welcome Hash!

When you create an account or update your password on a website, your password is hashed using a complex algorithm (like MD5, SHA256 etc). The resulting hash is then stored on the website’s server. When you attempt to log in, the website again hashes your input (the password) and compares it to the stored hash. If they match, you gain access; if not, you’re denied entry.
It’s like having a secret handshake that only the gatekeepers understand. They let you pass because you’ve got the perfect handshake, but they never really know what it is.

This method of hashing greatly enhances security because even if a malicious actor gains access to the stored hashes, they won’t be able to reverse-engineer the original passwords. This makes it significantly more challenging for hackers to compromise your account. Or?

A specific hashed password will always translate to the same “cryptic” letters and numbers.
Example:
A MD5 hash of a common password like ‘123456’ will always be f447b20a7fcbf53a5d5be013ea0b15af
While you cannot decrypt f447b20a7fcbf53a5d5be013ea0b15af, you can hash 123456 and find f447b20a7fcbf53a5d5be013ea0b15af
By hashing all popular passwords and all words in a dictionary you will end up with a lot of hashes that can be compared to a compromised database – a so called dictionary attack.

Salt and pepper to the rescue.

Salt and pepper are “ingredients” mixed with your password that creates a totally unique hash. It can for example be your email + password or a random string + password. This ensures that even if two users have the same password, their hashed passwords will be different due to the unique salts.
In other words: Since all hashes in the websites database will be unique a dictionary attack is unfeasible.

Brute Force Attacks (sigh…)

I’d like to conclude the blog post with the previous paragraph, but there’s more to cover. Modern GPUs can generate hashes incredibly fast, way beyond human comprehension.

This means that a GPU can generate a fantazillion hashes and simply check if they match the compromised database. The weaker the password (behind the hash), the faster a GPU can guess it.

Iteration to the rescue?

Iteration basically means that you hash the hash over and over, like 100.000 times. This will slow down the GPU to find a match somewhat, but even more effective is a strong password as shown in the below table from Hive Systems.

The Power of Length

As computational power continues to advance, brute force attacks become more potent. However, a longer password remains a formidable defense. In 2023, experts recommend using passwords that are 16-18 characters long. Longer passwords exponentially increase the number of possible combinations, making it exponentially more difficult even for fast GPUs to guess the password.

Fine, but how do I remember them?

With a suggestion of 16-18 characters, and different passwords for each website, it is impossible to remember it all. Even when using passphrases that usually is easier to remember while still strong.

A password manager is what you need. The software suggests and stores all your strong passwords that a GPU will use years and years to crack. You only need to remember ONE strong password!

I absolutely love RoboForm; it’s an outstanding choice for securely managing your passwords and bookmarks. And here’s the bonus: If you use my referral link to purchase RoboForm Premium for 1 year, you’ll receive an extra 6 months for free, providing you with a total of 1.5 years of secure premium access.

Remember, while no system can claim absolute invulnerability, this approach significantly raises the bar for potential threats. It’s essential to stay vigilant, regularly update your passwords, and adopt two-factor authentication where possible to fortify your digital defenses.

What about the future?

Brute force will become more effective with the advances in GPUs and quantum computing. Password-less methods, passkeys, biometrics, and other forms will get bigger.

However, traditional passwords are still the easiest and cheapest authentication method to implement for a long time to come.

1. sep. 2023
   As a tech enthusiast, I like to keep my digital home clean and tidy. #Linux help to make my renovations and decorations weirdly satisfying!
   Unlike #Windows11 , who’s always rearranging your furniture when you’re not looking – you’ll never find your favorite chair.
   

ID1697592915361489301

31. aug. 2023
    My favorite browser continues to improve 👏 https://t.co/xPnBdLGSE1
    

ID1697274282332524768

18. aug. 2023
    I thought I saw a #UFO, but it turned out to be a drone with a sudden urge to wash the Windows #washywashy
    

ID1692590704764100637

4 September 2023

Today we usually visit the same pages on Internet but when World Wide Web was young we enjoyed some “Surftips”Believe it or not, there are still some cool sites out there to discover. Like: https://my80stv.com/ #nostalgia

31 August 2023

#WindowsWeekly – the podcast that makes Windows users laugh, cry, and question their life choices – Hilarious for non-Windows Survivors! 🪟🎙️
On a serious note: No one better than Leo and Paul

19 August 2023

I may sound old but Frank Sinatra have a lot of good songs.

19 August 2023

Mastodon is great once you put in the work and follow the right people and hashtags, but how do I follow a hashtag in a certain language ?