Tuesday, December 14, 2010

Take care of your passwords

It is actually good to hear the latest breach of Gawker.com database and the release of millions of user information including passwords. It is always good to remind everyone to change their passwords, especially easy ones. And here I'll explain why it's not a good idea to have easy passwords and will give you some tips to help you create strong passwords.

To begin with, I'll explain how a server stores user passwords in a database. Let's say a user goes to hotmail.com and creates a new email with the password "password". The server will most likely encrypt the password and stores it in a database. Let's say the encrypted password is "£K%Ggh", so this strange word will be stored next to his email address. The next time the guy wants to check his email, he'll enter his username and password and the server will encrypt the password again and checks the encrypted word with the one stored in the database. If they match, the server will allow him access to his email.
Let's say the same user creates a commenting account in Gawker.com and uses the same email and password. Gawker will use another encryption scheme to generate their own encrypted word and store it in their own database. Let's say Gawker's word is "G?juu&".
Now if a hacker gets access to Gawker's database and encryption scheme, he can guess easy passwords like "password", "qwerty", "123456" and he'll see the encrypted word for each of them and then he'll search the database for users who have that word as a password and get their associated emails. He then uses the same password on their email accounts (hotmail in our example) and most likely the hacker will gain access to the user's email. And the same thing can happen to Twitter and Facebook accounts as well.

That's what happened today. And to add insult to injury, Gawker hackers released the whole database on the Internet. Allowing everyone access to the database.

In this particular case, if the password is hard to guess, the user will be better protected. So if the password was "pa$$word" or "Passw0rD" it will be a lot harder to guess. I'll give recommendations for better passwords later.

So, what you can do to protect your online account and what lessons we learned from today's event?

First, change all your passwords immediately  even if you are not registered in Gawker or it's sister websites. Second, don't use the same password for different accounts. Third, use special characters in your passwords (other than letters and numbers). Forth, use an app on your mobile phone to store your passwords in case you forget them.

Finally, how to choose a good password:
-Add a mix of these symbols: ¥$€><~|\_.,?!'&£/-@
-Mix upper and lower case letters with numbers
-Replace letters with similar symbols: "password" can be "P@$$w0Rd"
-Intentionally misspell words
-Use a mix of birthdays, occasions, acrynoms, site names, symbols: "20!12!1978" "&face~book&"

Just be creative with your password to prevent anyone from gaining access to your personal information. And good luck out there.


  1. I would like to add that the algorithms used for password encryption are usually one-way algorithms; meaning that even if the algorithm was obtained, one will not be able to get to the source from the output of it! I think the only way they got to the password - just like you said - is by trying to put some guessable and simple one through the same algorithm they obtained and search for the outcome in the database! If it clicks, they get to know that the account that it clicks with has the password they used in that algorithm! So yes, your suggestion of having symbols would help a lot, white spaces too!

    And as for having your passwords on your mobile phone, ... well, I can't agree with that - as is - to be honest! I like the idea of having them just in case if you forgot any, but it's risky, if one managed to get his hands on it, you're DOOMED! XD However, there is a way you can still do that and still have no one to get to know your passwords even if that person got the phone! It's to use OpenPGP, an encryption tool to encrypt files and assign password protection! So my advice is: after typing pass phrases in a mobile phone, use an OpenPGP application to encrypt that file (and assign a strong password)! That way, even if some one got the encrypted files that contains the pass phrases, he wont be able to get anything off of it unless he know the password! That, of course, depends on whether the assigned password is guessable or not! (BTW, if you're wondering what OpenPGP app I use, it's "GPG" (command line tool) on my linux machines and "APG" on my android device)

    I also have a suggestion to add to your list of suggestions to make it easier for people to remember their passwords correctly!
    1. Come up with a strong phrase that you can really rely on and sure that it cannot be guessed, that phase would be the static part! 2. For each account, come up a two or more letters that has something to do with the site, that would be the dynamic part!
    3. Come up with a scheme to combine the static part with the dynamic part - whether at the beginning, middle, or end!

    That way, you'd remember all passwords and would be safe even if one knew another password of yours because that guy still doesn't know how you get to make the dynamic part, that's if he know that you use this scheme!

    I'll just throw a simple example!
    Static phrase: "N\_/+$areCOOL"
    Dynamic phrase(twitter.com): "twit", "ter"
    Scheme: Dynamic[0] + Static + Dynamic[1]
    Password you'd get: "twitN\_/+$areCOOLter"

    Just make sure you never change the static part and the scheme and you're ready to go! :D

    Easy to remember, hard to forget, strong, and unguessable! What more do you want! XP

    Thanks for the great blogpost!
    Keep up the good work!! :)

  2. Excellent blog post!

    Never thought about 'designing' a password so thanks for the tips :)

    Only problem is I have a memory of a goldfish :S

  3. AnxiousNut: thank you for your informative comment. A very nice addition to the post. I agree with what you said and I like your way of generating strong passwords. Welcome to the blog.

    Anonymous: thanks for taking the time to read and post a comment.

  4. @Fares: Thanks :)

    And guys, I found out about this site, it tells how long it does take to get your password guessed! So i though it should be mentioned/shared here! http://howsecureismypassword.net/

    Also i tried the given example password 'twitN\_/+$areCOOLter' and - lol - it said that it would take about 5 sextillion years for a desktop PC to crack your password!

    Although I've no idea how large that number is, but it sure makes me feel safe! :D