The List of Shame
If your password is 12345678, password1 or trustno1 you should really think about changing it!
The Register has published a list of the top 25 passwords in use and if yours in in the list you may as well be leaving the house with a sign on your back saying “I’m carrying cash”.
More serious is the reason why we have these statistics – hackers have a growing database of passwords reaped from badly secured websites that use log-in & password authentication. Access to tens of thousands of these log-in password pairs have allowed Junior hackers to compromise the security of peoples accounts by playing the numbers game. If a password is reasonably common just trying that password against a bunch of email addresses to capture some poor souls email and go on a spam fest.
And now the really dead scary bit
Properly secured systems don’t store the password in plain text at all. They put the password through whats called a “one way hash” algorithm. Simply put this treats the password as a series of numbers then runs them through a calculation that generates a number unique for that password and stores that result instead. You can’t reverse out the calculation to get to the original password so in theory it’s quite safe. Unless…..
Suppose you have a huge database of common passwords. Now suppose you take that list and add in variant versions – like when you substitute a numeric 1 for the letter i or L. Take the resultant huge database and run it through the algorithm and you end up with a reverse look up table for hash values. In other words a good hacker can use this to look up your password (if it’s a common one) from there list.
Salt to the rescue!
Before you decide to go back to the stone age or utilize solely pen and paper for your communications know that all is not lost. Websites with good security use a salt with password – a random set of numbers added to the password and stored separately. This makes the look up tables useless as they can’t cater for all the possibilities the salt introduces.
Probably the only time salt is good for you!
BTW wordpress uses salted passwords
Want to know more?
Bruce Schneier has a wealth of articles on Computer Security at his site
Brian Krebs website Krebs on Security is also worth following.