If you've ever been notified of a data breach involving your credentials for a website or app, you may already know that you need to change your password for that account. In this guide, we'll dive into why your password needs to change and what to change it to in order to prepare for the next breach.
Data breaches, and in particular, those including personal passwords for websites or apps, are an evergreen news story which repeats itself like an advent calendar for cybersecurity failures. Although these breaches are a regular phenomena, they are trailed by a long, drawn-out window of time where other attackers use breached data to log into affected accounts.
To minimize risk in that window of time, you should change your password with the breached service as soon as you reasonably can. While you’re at it, it may be good to check for other breaches that affect your accounts by visiting security researcher Troy Hunt's haveibeenpwned.com, where you can enter in the email addresses you’ve used to register online accounts, and see other sites and services where you should strongly consider changing your password.
Many websites and apps need to be able to know what your password is in order to make sure you’re the one logging in and not someone pretending to be you. As a result, they have to store your username and password. Typically, your password will live in a database containing the passwords of every user for that service. This makes it a valuable target for an attacker, and because of that, industry standards and guidelines aim to make it difficult for an attacker to see every password without hacking into additional systems.
When you’re notified of a password breach, you may read something about “hashing” and “salting.” Sadly, this has nothing to do with cooking potatoes. Hashing means that data, in this case your password, was scrambled into a long, fixed-length chunk of encoded text using a mathematical hashing algorithm. The result — hashes, look like this:
|Password text||Password hash (SHA-128 algorithm)|
This adds some protection to the list, since every hashed password in a breached database would need to be decoded before finding out what the actual password is. Hashing, however, is easily reversible if an adversary already knows what password the hash was based on. If the hash for “password1234” is already known (it is) from a previous breach where you or someone else used the same password, then there’s no need for a computer to “crack” the password — it can just look it up from the list of known passwords from that breach, instantly.
This is one of many reasons why using the same password for multiple accounts is a dangerous habit — it only takes one breach (there’s been more than one) for a password to be known to potential attackers, even when they’re hashed. In some cases, such as the 2011 Sony breach, there wasn’t even a need for attackers to decode hashes because the passwords were stored in “plain text”, meaning anyone with a copy of the breached password database could see each password text directly.
Despite the ubiquitous neglect of modern data security practices, every now and then an online service will take some additional steps to make it more difficult for potential attackers to decode their users’ passwords. One way they do this is by “salting” the password, so that there’s a chunk of text attached to the password before the combined text of the salt + password is hashed, making it more difficult to decode since the hash of the password alone won’t be useful as a means of looking up its value. Unfortunately, companies are rarely transparent about the security practices they use to protect passwords in their servers, giving users no means of assessing risk if a breach were to happen.
Additionally, different types of adversaries may have different capabilities, and every journalist's scope of risk is unique to their work and their situation. Fortunately, it’s easy to make passwords that are exponentially more difficult to crack, regardless of your adversary’s computational capacity (assuming they’re at least hashed by the online service provider).
Uniqueness of your password is key, and one way to create a relatively unique password is to make it as random as possible. Of the millions of people who use “qwerty” as their password, hundreds may believe this was their original, random idea, but it only took “qwerty” being decoded from its hash once to make it vulnerable for everyone using that password. Similarly, even if, say, less than a hundred people may be using a clever lyric line or TV show quote, it still only needs to be decoded from its hash (or just viewed in plain text if they were a Sony PlayStation Network user in 2011).
In addition to uniqueness and randomness, the longer a unique password is, the stronger it is. Cracking a short password can be done easily by modern computers by simply guessing all possible combinations of letters, numbers, and special characters of that length. As the password gets longer, the number of possible combinations grows exponentially. This is why a short — even unique-looking, seven-character password like "3%4,up9" can be cracked by an average laptop in 2 days while a longer, unique 14-character password like “8fe;wuf487$sb0”would take 327 centuries for the same laptop to crack, and at least beyond the lifetime of anyone using the fastest computers in existence to crack it, due to math. Coming up with 14+ character length unique, randomly-generated passwords for every single website and app we use, however, is an unrealistic expectation for any human's memory. Luckily though, computers are here to automate these kinds of tasks for us.
Modern computers and smartphones have built-in ways of generating randomness, or “entropy” to use for choosing each character of a password. These entropy algorithms are more reliable than the squishy neural network computers we have between our ears, which are biased by a lifetime of memories and unconsciously personalize what we think is random. Coming up with a long random line of numbers, letters and whatever each online service requires is easy for a computer to do. Password managers are apps which can run on your computer, tablet or smartphone to handle this for you. A good password manager will make creating secure passwords quick and easy, since most password managers can both generate a new password and automatically remember it so you don’t have to.
This is the best way to change the password on whatever online service got breached, but while you’re at it, you can start changing all your passwords to stronger ones using a password manager. Next time this happens you’ll at least have bought some time before having to change your password in the next breach. If you’re wondering which password manager to use, check out our guide on how to choose one.