Cybersecurity is a frequent topic on this blog because it’s a big issue for health IT, but sometimes the concepts can be a little abstract. I’ll bring the topic down to earth by showing how it applies to something everyone is familiar with, their website passwords.
How Passwords Work
It’s easy to imagine that website credentials work by storing a huge database of all the usernames and corresponding passwords. When you attempt to log in, the website checks the password you submitted against its recorded password for the username you supplied. But this isn’t the whole story.
Passwords are not stored on the server in plain text because that would be a big security hole. Anyone with legitimate or illicit access to the database would be able to read everyone’s password. Instead, passwords are encrypted using a hash function.
This is a one-way encoder. Plain text can be easily hashed, but it’s practically impossible to un-hash an encoded string back into plain text.
Therefore, the login process has an extra step. The user submits his username and password in plain text. When it arrives at the server, the hash algorithm is applied to the password. If the result matches the stored password hash for the given username, then access is granted. This means that the plain text password is never stored and everything is perfectly secure, right? Well, not exactly…
Cryptographic hashes are an effective way of preventing disclosure of the plain text, but there are ways to bypass the hash. One way is with a dictionary attack. In this context, the dictionary need not be a standard like Funk & Wagnall’s; it can be any list of text strings in any language. It can contain proper nouns, numbers and other non-word entries.
By applying the cryptographic hash algorithm to every single word in the list, the attacker will have a full list of words and their hashes. If he is able to get a user’s hashed password (or better yet, an entire database of users’ hashed passwords), he can look up the hash in his list and see the corresponding plain text password.
Any word that is likely to be in a list of dictionary words is fairly easy to compromise. This is why so many systems have password rules that require mixed case, numerals and special characters. The rules are designed to reduce the probability that your password looks like a normal dictionary word.
A smart attacker will add variations to his dictionary to try and catch some of these cases. For example, in addition to “password,” he will add “password1” “pa$$word,” “Password,” and so on. It may seem counterintuitive, but the password rules a system establishes may actually make a password easier to crack. For example, if mixed case is required, then there’s no point in keeping “password” in the dictionary; it’s known beforehand that the all lowercase version wouldn’t be accepted.
What, then are some good ideas for generating strong passwords?
One recommendation is to use a password manager such as 1password.
Not only does it maintain a database of all your passwords that you can access from any of your devices, it also generates strong passwords. They look like nonsense and are impossible to remember, but since 1password is tracking them for you, it eliminates the need for you to ever need to type it from memory.
If you want to create your own passwords, try to use strings that won’t appear in a dictionary. One way to do this is to take the first (or last) letter of each word in a sentence that you’ll remember. For example, “don’t think twice, it’s alright” becomes “dttia,” which is unlikely to be in any word list. Another way is to take a long word and remove letters from the beginning or end (or both). “Medicine” becomes “edicin” – again, an unlikely entry on a word list.
Since you’ll probably need to include a digit and/or a special character, use those in between two of your non-words. Example: “dttia^6edicin.”
Another important recommendation is not to reuse passwords across websites. If your password is compromised on one service, the attacker can try the same username and password on other common sites. That can make passwords difficult to remember, but you can use your standard password on each site with the first few letters of the website’s name appended. For example, if we were using our nonsense password on google.com, it would turn into “dttia^6edicin-GOO,” and on Facebook, the same method would give “dttia^6edicin-FAC.” Now, you have completely different passwords for each site that aren’t difficult to remember.
Another password security tip: don’t type your username and password into any web page you visit by clicking a link in email. If your bank sends you an email that says you need to log in to your account, open a new browser window, navigate to your bank’s website, and log in from there. Clicking the link in an email is simpler, but you can be easily tricked into putting your credentials into a counterfeit site. This is known as a phishing attack, and it’s in a different class of tactics than the dictionary attacks we have been discussing. Phishing attacks are now a common method of compromising security.
Finally, turn on two-factor authentication for any sites that support it. This means you’ll get a phone call or text message each time you try to log in. It introduces an extra step, but it means an attacker can’t access your account with just your username and password.
Stay Safe Out There
The recommendations here are only a part of personal password hygiene, and passwords are just a tiny part of the entire cybersecurity picture. The intention here is just to tie a familiar activity to a broader concept. Effective cybersecurity requires “defense in depth,” and a good way to build depth is to increase everyone’s understanding of security basics. The next time you have to make up a password that contains letters, numbers, mixed case and special characters, you’ll know the reason why.