We all know the importance of ensuring that we use a different password for every account, but it can become hard to remember each account password. Today, hackers will try different combinations of your password by adding special characters or capital letters in – something that we are likely to just add on the end to meet a given password’s security requirements. The National Cyber Security Centre (NCSC) advises users to use a password manager, helping us to cope with password overload. A password manager stores all your passwords securely, meaning that you do not need to remember every individual password for each account. They can also generate unique, strong passwords containing a wide mix of character, numbers, and symbols alongside supporting a password length of typically up to 50 characters.
Complex passwords containing random characters, numbers and symbols should be used instead of a common word mixed with a few symbols and capital letters. Accounts generally do not store your password in plaintext for security reasons and instead store a hash of your plaintext password. Hashing is a one-way function that uses a hashing algorithm to turn your plaintext password into a sting of random letters and numbers, however the same plaintext put through the same hashing algorithm will result in the same string of data being produced every single time. When you log into your online account, the plaintext password you enter is hashed using the website’s chosen hashing algorithm and is compared against the stored hash. If these match, you will be logged into your account.
So how do hackers get your account’s password if your password hash is stored (providing the website is following good security practices) and not your password in plaintext? There are several hashing algorithms which are commonly used, such as MD5 and SHA1. MD5 is an old hashing algorithm which should not be used to store passwords, despite the fact it is commonly used today. SHA1 is the successor to MD5, but also follows the same issues, so in fact it should not be used but still is. That is because these hashes are considered “broken”, the computational power required to calculate thousands of MD5 hashes in a few seconds can now be undertaken on a mid-entry level consumer laptop. SHA1 requires a bit more computational power resulting in much higher costs being involved to “break” these hashes, but it is still doable with a bit more time investment. Instead, websites should use hashing algorithms such as SHA256 and SHA512 to hash our passwords.
You may have previously been lectured by multiple people about the importance of regularly updating your password, however the NCSC advises against this. When we are told our password has expired and that we need to update it, more commonly than not we are just likely to either change a letter to become a capital or add a special character on the end of our chosen password (typically users will choose a nice simple explanation mark). This is ineffective because as previously discussed, hackers will try different variations of your password. Therefore, it is best to mitigate the risk of your account being compromised by making use of one strong, unique password combined with multi-factor authentication (MFA) or two-factor authentication (2FA).