What makes a Password Secure?

Posted By BrokenClaw on September 2, 2008

Passwords are everywhere in this digital age, from logging onto your computer at home and work, to logging into websites, to entering a PIN (personal identification number) at the ATM. Passwords are a type of authentication. In other words, they are used to authenticate that you are who you say you are. But how do the computer systems keep your passwords secure?

Let’s say your password is GOLF. First of all, a word like GOLF is a terrible password, but we’ll talk about that later. No modern password system actually saves your password as GOLF. That would be too easy if someone hacked into the system to see the password list. Instead, the programmers create what’s called a hash of the password. That is to say, they run the password through a series of mathematical manipulations, called an algorithm, to end up with a totally unrelated result.

A simple example would be to assign a value to each character, based on the alphabet: A=1, B=2, C=3, etc. So your password GOLF becomes 7,15,12,6. The easiest hash would be to add the numbers together: 7 + 15 + 12 + 6 = 40. Your password is then saved as the number 40. Now when you enter a password, the program runs it through the algorithm, and if the hash equals 40, you’re in.

There are obvious problems with that process. Anyone could stumble upon a different password that adds up to 40, like ZM (27 + 13) or SS (20 + 20). What if you multiplied the numbers? 7 x 15 x 12 x 6 = 7560. That would make it less likely to find a password with the same result. In practice, programmers create extremely complicated algorithms, using complex mathematical formulas, so that the resulting hash is a much larger number. Just using multiplication and addition and inverting some numerals, it’s possible to turn our password GOLF into something like 9844829280. Without knowing the algorithm, it becomes very difficult, other than by trial and error, to reverse the process and get back to GOLF.

A standard keyboard is capable of typing about a hundred different characters, taking into account upper and lower case letters, numbers, symbols, and puctuation marks. All of these characters have unique digital values which are used in password algorithms.

But reversing a hash is not how password theft generally occurs. Instead…

  1. Your password is written or printed on paper, which gets lost or stolen, making an easy mark for the finder/hacker. This method of password theft was a major plot line with the Patrick Swayze character in the movie, Ghost.
  2. The hacker uses all the tools of social engineering, a euphemism for lying, to convince you to give them your password. This type of password theft occurs most often through phishing email and instant messaging.
  3. Malware on your computer, a program called a keylogger, automatically records every key you type on your keyboard, so that the hacker can view the log later and figure out which key sequence was your password.
  4. The hacker guesses your password. It might be a pure guess, based on some personal information, but on a large scale it is more likely that the hacker uses a computer program to keep trying words in a hit-or-miss fashion.

The important point to remember is that no legitimate business or web service will ever ask your password over the phone or request your password “confirmation” in an email or instant message. Just as you would never give your credit card number to an unsolicited caller, you should never reveal your password in a similar situation.

Read more about what makes a better password. Read more about how to create a better password.

Comments

Leave a Reply

Please note: Comment moderation is currently enabled so there will be a delay between when you post your comment and when it shows up. Patience is a virtue; there is no need to re-submit your comment.

Switch to our mobile site