Once upon a time in the Internet’s infancy, there lived a simple text document on web servers across the land. It stored all the website’s usernames and passwords in plain text, granting you access to things like guestbooks, bulletin boards, and all those other Y2K goodies.
Fast-forward to today’s information age, and this humble little document has undergone quite an evolution. In the process, it has become a highly sought-after commodity. Each day, hundreds of dollars are exchanged for giant lists of email and password combinations from sites worldwide.
With hackers and other computer criminals using ever-more sophisticated methods to get hold of user data, we’ve found ourselves in an arms race of password-storing technologies. While many sites still use plain-text – a high-profile example was Reddit back in 2007 – this humble way that website owners used to store passwords has mostly gone the way of the dinosaur.
Enter the Hash (That Won’t Get You Arrested)
In response to the rising threat of password theft, hashing became a de-facto standard for keeping passwords safe. Put simply, hashing uses a similar principle to encryption – transforming a string of characters from their original value to a fixed-length jumble of symbols, numbers and letters.
In the event of a breach, hashing aims to make passwords more difficult to crack, so even if data ends up in the wrong hands, it will be effectively useless.
Hashing comes in a variety of flavours, ranging from the simple scramble to advanced cryptography. The difference between the varieties can be the amount of characters that the password becomes after hashing, or the amount of times it is transformed, but the bottom line is the time it takes for a computer to crack.
Many common forms of hashing can take hundreds or even thousands of years to crack, but as computers get faster, hashes need to be increasingly complex. Some more common types of hashing are dead easy to crack, and only pose a minor speed bump in slowing down hackers.
So … Why Do I Need A Strong Password?
Why bother with numbers, capital letters and symbols if your password will just end up hashed anyway?
Hackers will typically test for weaknesses in a set of hashed passwords by trying a series of attacks. The first of these is commonly called a dictionary attack. Hackers load a hashed set of common words and see which of the accounts match up. Single-word passwords like ‘skiing’, ‘juggle‘ or ‘music’ will be cracked with ease.
Why should you make a longer password? So-called automated brute force attacks can quickly knock off short (shorter than 8 character) passwords by randomly trying strings of letters and numbers until the right answer is found. Goodbye, ‘joe13’, ‘k8sl8’ and ‘b1gb3n’: these passwords can be cracked on an average desktop computer in as little as a day.
So, now you know why a long (more than 8 character) password with a variety of upper and lowercase letters, numbers and symbols is so important.
If you’re in the habit of using weak passwords across multiple sites, consider that one of them just might be storing it in plain text, or with a weak hash. In this way, you can see why it’s potentially dangerous to place so much trust in each and every site you sign up to.
This is all to say: if you take control of your own security, you no longer need to worry. Sign up for our Email Watchdog and if you haven’t already, get a password manager. It can be a really simple way of fixing this problem for good.