Cybersecurity is a frequent topic on this blog because it’s
a big issue for health IT, but sometimes the concepts can be a little abstract.
I’ll bring the topic down to earth by showing how it applies to something
everyone is familiar with, their website passwords.
How Passwords Work
It’s easy to imagine that website credentials work by
storing a huge database of all the usernames and corresponding passwords. When
you attempt to log in, the website checks the password you submitted against
its recorded password for the username you supplied. But this isn’t the whole
story.
Passwords are not stored on the server in plain text because
that would be a big security hole. Anyone with legitimate or illicit access to
the database would be able to read everyone’s password. Instead, passwords are
encrypted using a hash function.
This is a one-way encoder. Plain text can be easily hashed, but it’s practically impossible to
un-hash an encoded string back into plain text.
Therefore, the login process has an extra step. The user
submits his username and password in plain text. When it arrives at the server,
the hash algorithm is applied to the password. If the result matches the stored
password hash for the given username, then access is granted. This means that
the plain text password is never stored and everything is perfectly secure,
right? Well, not exactly…
Dictionary Attacks
Cryptographic hashes are an effective way of preventing
disclosure of the plain text, but there are ways to bypass the hash. One way is
with a dictionary attack. In this context, the dictionary need not be a
standard like Funk & Wagnall’s; it can be any list of text strings in any
language. It can contain proper nouns, numbers and other non-word entries.
By applying the cryptographic hash algorithm to every single
word in the list, the attacker will have a full list of words and their hashes.
If he is able to get a user’s hashed password (or better yet, an entire
database of users’ hashed passwords), he can look up the hash in his list and
see the corresponding plain text password.
Password Rules
Any word that is likely to be in a list of dictionary words is
fairly easy to compromise. This is why so many systems have password rules that
require mixed case, numerals and special characters. The rules are designed to
reduce the probability that your password looks like a normal dictionary word.
A smart attacker will add variations to his dictionary to
try and catch some of these cases. For example, in addition to “password,” he
will add “password1” “pa$$word,” “Password,” and so on. It may seem counterintuitive,
but the password rules a system establishes may actually make a password easier to crack. For example, if mixed
case is required, then there’s no point in keeping “password” in the
dictionary; it’s known beforehand that the all lowercase version wouldn’t be
accepted.
Recommendations
What, then are some good ideas for generating strong
passwords?
One recommendation is to use a password manager such as
1password.
Not only does it maintain a database of all your passwords
that you can access from any of your devices, it also generates strong
passwords. They look like nonsense and are impossible to remember, but since
1password is tracking them for you, it eliminates the need for you to ever need
to type it from memory.
If you want to create your own passwords, try to use strings
that won’t appear in a dictionary. One way to do this is to take the first (or
last) letter of each word in a sentence that you’ll remember. For example,
“don’t think twice, it’s alright” becomes “dttia,” which is unlikely to be in
any word list. Another way is to take a long word and remove letters from the
beginning or end (or both). “Medicine” becomes “edicin” – again, an unlikely
entry on a word list.
Since you’ll probably need to include a digit and/or a
special character, use those in between two of your non-words. Example:
“dttia^6edicin.”
Another important recommendation is not to reuse passwords
across websites. If your password is compromised on one service, the attacker
can try the same username and password on other common sites. That can make
passwords difficult to remember, but you can use your standard password on each
site with the first few letters of the website’s name appended. For example, if
we were using our nonsense password on google.com, it would turn into
“dttia^6edicin-GOO,” and on Facebook, the same method would give
“dttia^6edicin-FAC.” Now, you have completely different passwords for each site
that aren’t difficult to remember.
Another password security tip: don’t type your username and
password into any web page you visit by clicking a link in email. If your bank
sends you an email that says you need to log in to your account, open a new
browser window, navigate to your bank’s website, and log in from there.
Clicking the link in an email is simpler, but you can be easily tricked into
putting your credentials into a counterfeit site. This is known as a phishing
attack, and it’s in a different class of tactics than the dictionary attacks we
have been discussing. Phishing attacks are now a common method of compromising
security.
Finally, turn on two-factor authentication for any sites
that support it. This means you’ll get a phone call or text message each time
you try to log in. It introduces an extra step, but it means an attacker can’t
access your account with just your username and password.
Stay Safe Out There
The recommendations here are only a part of personal
password hygiene, and passwords are just a tiny part of the entire cybersecurity
picture. The intention here is just to tie a familiar activity to a broader
concept. Effective cybersecurity requires “defense in depth,” and a good way to
build depth is to increase everyone’s understanding of security basics. The
next time you have to make up a password that contains letters, numbers, mixed
case and special characters, you’ll know the reason why.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.