When you enter a gym’s locker room, there are hundreds of lockers. Each has its own combination lock. Without giving it too much thought, you open your locker using the combination only you know, which is the same combination you provided when you signed up at the gym.
Similarly, a password is a shared secret between a user and a service. When the user wants to connect to the service, they identify themselves with their username and prove that identity with the password.
The service checks the password. If it matches, the user is allowed to access the service.
We can think of the service as the locker, the username as the locker’s number and the password as the lock’s combination.
Problems occur, of course, if someone else has your combination. It could be that you use a very popular combination, or someone saw you using the same combination on your bag.
Alternatively, it could be that someone broke into the gym and saw the list of locks and combinations. Let’s take a look at these aspects in the virtual world.
On the internet, some passwords are more common than others. Hackers use lists of the most common passwords to increase their chance of guessing a user’s password quickly. The hacker tools used to guess these passwords are called crackers. Two types of crackers exist - online and offline:
To reduce the effectiveness of offline crackers, many services add a step to the process called salting. Using a salt, a different digest is created each time, even if the password is the same. So although salted passwords are not completely hack-proof, they’re much harder to guess.
So, that’s how passwords get cracked. Now, how do you stop that happening to your business?
On an individual level, always use strong passwords – and don’t use the same password on different websites. Think about what information the password is protecting. You want a really strong one for your online banking, PayPal and other online services you consider sensitive.
Use a really strong password for your email too, as getting access here can allow a hacker to wreak havoc by resetting your passwords on lots of other sites.
In your business, it’s important to realise that you can’t trust your users to choose strong passwords themselves. If you give them the choice, they’ll simply choose weak passwords. In fact, two years ago a database containing 32 million passwords was leaked to the web. Analysis of these passwords showed that 20% of users chose the same passwords from a pool of 5,000 words.
It’s up to you – or your IT administrator - to keep the passwords secure. Here’s how
Implementing many of these precautions will require help from your IT staff or IT supplier. But if you’re going to maintain the security of your systems and website, it’s vital you think carefully about enforcing a strong password policy.
Noa Bar-Yosef is Senior Security Strategist at Imperva.