David Huerta 2019

Digital Security Trainer

Last updated
top-passwords-print

Data breaches, and in particular, those including personal passwords for websites or apps, are an evergreen news story which repeats itself like an advent calendar for cybersecurity failures. Although these breaches are a regular phenomena, they are trailed by a long, drawn-out window of time where other attackers use breached data to log into affected accounts.

To cut that long tail off, you should change your password with the breached service as soon as you reasonably can. While you’re at it, it may be good to check for other other known breaches, which can be done by visiting security researcher Troy Hunt's haveibeenpwned.com, where you can enter in the email addresses you’ve used to register online accounts, and see other sites and services where you should strongly consider changing your password.

Many websites and apps ultimately need to be able to know what your password is in order to make sure you’re the one logging in and not someone pretending to be you. As a result, they have to store your credentials, including your password. Typically, your password will live in a database containing the passwords of every user for that service. This makes it a valuable target for an attacker to hack into, and because of that, industry standards and guidelines aim to make it difficult for an attacker to see every password without hacking into additional systems.

When you’re notified of a password breach, you may read something about “hashing” and “salting.” Sadly, this has nothing to do with cooking potatoes. Hashing means that data—in this case your password—was scrambled into a long, fixed-length chunk of encoded text using a mathematical hashing algorithm. The resulting hashes look like this for the top ten most popular passwords:

Password text Password hash (SHA-128 algorithm)
qwerty 7C4A8D09CA3762AF61E59520943DC26494F8941B
12345 F7C3BC1D808E04732ADF679965CCC34CA7AE3441
1234567 B1B3773A05C0ED0176787A4F1574FF0075F7521E
111111 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
123456789 3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D
12345678 7C222FB2927D828AF22F592134E8932480637C0D
password1 6367C48DD193D56EA7B0BAAD25B19455E529F5EE
password 20EABE5D64B0E216796E834F52D61FD0B70332FC
123456 E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D
abc123 8CB2237D0679CA88DB6464EAC60DA96345513964

This adds some protection to the list, since every hashed password in a breached database would need to be decoded before finding out what the actual password is. Hashing, however, is easily reversible if you already know what password the hash was based on. If the hash for “password1234” is already known (it is) from a previous breach where you or someone else used the same password, then there’s no need for a computer to “crack” the password—it can just look it up from that list, instantly.

This is one of many reasons why password reuse is a dangerous habit—it only takes one breach (there’s been more than one) for a password to be known to potential attackers forever, even when they’re hashed. In some cases, such as the 2011 Sony breach, there wasn’t even a need for attackers to decode hashes because the passwords were stored in “plain text”, meaning anyone with a copy of the breaches password database could see each password text directly without needing to decode it first.

Despite the ubiquitous neglect of modern data security practices, every now and then an online service will take some additional steps to make it more difficult for potential attackers to decode their users’ passwords. One way they do this is by “salting” the password, so that there’s an additional chunk of text attached to the password before the combined text of the salt + password is hashed, making it more difficult to decode since the hash of the password alone won’t be useful as a means of looking up its value.

Even so, it’s possible for a reasonably high-end computer to find re-used passwords by hashing the combined salt text (each password record’s salt is typically stored alongside the same database holding the passwords) with a list of known breached passwords until a match with the salted password hash is found. Although that’s a lot of possible combinations for a potential attacker to compute, modern password cracking software can easily leverage the processing power of graphical processing units (GPUs) to speed up the process. GPUs are ubiquitous in high-end desktop computers, typically for computer gaming and virtual reality.

Different types of adversaries you may have in mind may have different capabilities, and every journalist's scope of risk is unique to their work and their situation. Fortunately, it’s easy to make passwords that are exponentially more difficult to crack, regardless of your adversary’s computational capacity (assuming they’re at least hashed on the online service provider’s end).

Uniqueness of your password is key, and one way to do that is by having it be as random as possible. Of the millions of people who use “qwerty” as their password, hundreds may believe this was their original, random idea, but it only took “qwerty” being decoded from its hash once to make it vulnerable for everyone using that password. Similarly, even if, say, less than a hundred people may be using a clever lyric line or TV show quote, it still only needs to be decoded from its hash (or just viewed in plain text if they were a Sony PlayStation Network user in 2011).

In addition to uniqueness and randomness, the longer a unique password is, the stronger it is. Cracking a short password can be done easily by modern computers by simply guessing all possible combinations of letter, numbers, and special characters of that length. As the password gets longer, the number of possible combinations grows exponentially. This is why a short—even unique, seven-character password like "3%4,up9" can be cracked by an average laptop in 2 days while a longer, unique 14-character password like “8fe;wuf487$sb0” would take 327 centuries for the same laptop to crack, and at least beyond the lifetime of anyone using the fastest computers in existence to crack it, due to math. Coming up with 14+ character length unique, randomly-generated passwords for every single website and app we use, however, is an unrealistic expectation for any human's memory. Luckily though, computers are here to automate these kinds of tasks for us.

Modern computers and smartphones have built-in ways of generating randomness, or “entropy” to use for choosing each character of a password. These entropy algorithms are more reliable than the squishy neural network computers we have between our ears, which are biased by a lifetime of memories and unconsciously personalize what we think is random. Coming up with a long random line of numbers, letters and whatever each online service requires is easy for a computer to do. Password managers are apps which can run on your computer, tablet or smartphone to handle this for you. A good password manager will make creating secure passwords quick and easy, since most password managers can both generate a new password and automatically remember it so you don’t have to.

This is the best way to change the password on whatever online service got breached, but while you’re at, you can start changing all your passwords to stronger ones using a password manager. Next time this happens you’ll at least have bought some time—assuming hashing algorithms themselves aren’t made vulnerable new mathematical breakthroughs—before having to change your password in the next breach. If you’re wondering which password manager to use, check out our guide on how to choose one.

Photo by Mark Burnett. CC-BY 2.0.