Quick note: This is a longer post and will help you understand some of the more technical aspects of cybersecurity. You may want to go grab a beverage before getting started…
Passwords are the one security tool that almost everyone is familiar with. But surprisingly, I find passwords are also one of the most misunderstood tools for protecting yourself online. Today I’m going to talk about the real purposes of passwords and how you can improve their effectiveness with a few easy steps.
First, it’s important to understand what we call the CIA triad. Which, now that I write it down, is kind of a scary sounding name. CIA is an acronym -yes I know it is also an acronym for that other thing, but in this case is stands for Confidentiality, Integrity, and Accessibility. These are the three goals we are trying to achieve whenever we talk about cybersecurity.
The CIA triad is commonly represented as a triangle to show that the three goals require a balance. In every case we have to accept compromises in one or more of the three goals. If you turn your computer off and unplug it and lock it inside a safe guarded by poisonous cobras, I can pretty much guarantee that no one is going to be able to access your computer without permission, so we have very high confidentiality and integrity, but the availability of the computer will be severely reduced.
Now that we have that basic understanding, let’s talk about what the purpose of a password is. Passwords are obviously intended to preserve the confidentiality of your information. By protecting your bank account (or your email account or whatever) with a password, you are trying to ensure that no unauthorized people can access that information. Passwords also preserve integrity. When you login to your bank account, you are providing proof to the bank that you are who you say you are. Like showing your driver’s license when you go to the bank in person. Your password is kind of like a digital fingerprint that should be able to uniquely identify you.
If your password is going to be the way your identity is verified online, obviously you should never share it with anyone. I make an exception here for your kids. It is OK for your kids to share their passwords with you, but you should not share the other way around. If you are sharing your password, you need to make sure that whomever you share it with is going to protect it as effectively as you are. Unless you are confident your kids can do that, you are better off setting up seperate accounts for them with their own passwords. Keeping our password a secret is a good first step, but we are talking about computers here and computers are exceptionally good at guessing things. In this case, when I say “guessing” what I mean is trying every conceivable combination of letters and numbers until they find the right one and doing it very fast. So we want a password that is complex, meaning it would take a computer, or a person, a long time to guess the password. Let’s pause for a minute to talk about how that works…
Think of a number between 0 and 9. Got it? Good. Now, it doesn’t matter what the number was. I can definitely guess it in no more than 10 tries, right? Good. Next step, pick again, but this time you can pick a number 0-9 or a letter of the alphabet. So now it will take me a maximum of 36 guesses. I might still stumble onto the right answer on the first try, but the maximum is 36 guesses. If we treat capital and lowercase letters separately then we have 62 possible answers (26 lowercase letters + 26 upper case letters + 10 numbers). If I had you pick 2 characters then the number of possible solutions is 3844 (62*62). So that will already take a person a pretty long time to guess. But for a computer, a computer can guess thousands or even millions of options per second. So this isn’t going to be a problem for me to crack using a computer. But if I have you pick 16 characters then that is 6216 = 47,672,401,7 06,823,533,450,263,330,816. That’s gonna take me a bit even using a pretty powerful computer. If I add in a few common punctuation characters, I can make this number even higher. There are a lot of other things we can do to make it take even longer to guess a password, but the important point is that even with all this math, ALL passwords can be guessed or “cracked” as we call it.
Well that sucks! I can hear you saying it. I guess we may as well just give up and go back to bartering with chickens, right? Well, hold on all is not lost. There is one very easy thing you can do to almost eliminate this risk. Change your password.
Huh? Let’s say it is going to take someone with a really fast computer 100 days on average to guess your password. If you change your password on the 90th day than the bad guy has to start all over. There is still a chance that the bad guy could guess your password on the first try, but given the numbers involved it is staggeringly unlikely. In fact, this is how we in the cybersecurity world pick those annoying time limits for you to change your password.
Feeling pretty good now, right? Well hold on. We have been assuming a truly random set of characters here. If I only have to check for dictionary words let say and not all possible combinations, then I can drastically reduce the number of attempts I need. If I have some information about you like your kids names, or your birthdate that I think you may have used, I can bring that number down even further. For example, let’s say you have three kids. Alex, Scott, and Jane. If I think you have used some combination of these names as the password, then I only have to check the unique characters in each name. So that is just 10 letters (a,l,e,x,s,c,o,t,j,n) to try. Even in a 16 character password that is only 10,000,000,000,000,000 options which is a lot, but is only 0.00000000002% as many as when we used all the letters and numbers.
One more factor to consider. Suppose you use the same password for two different websites. For example your bank and your Starbucks account. We can assume your bank is being pretty darn careful about protecting your password. Starbucks maybe not as much. And if someone gets your Starbucks password, they now also have your bank password. Same thing if you write your passwords down. If all my passwords are on a sticky note next to the computer or in a note on my phone, the bad guy just needs to get one quick look at that and I’ve lost everything.
We now understand we want random passwords with uppercase and lowercase letters as well as numbers and maybe some punctuation. We also want a unique password for every account and we don’t want to share our password with anyone ever or write them down. This is great and I now have very low risk in the confidentiality and integrity of my data. Except now I can’t remember any of my passwords and I can’t access any of my accounts so my risk for availability is very high. The answer to this is password managers.
A password manager is different than a document or note on your computer. It is usually a seperate program or service that does just one thing. Store your passwords for you. Most also will generate random passwords for you and many provide some extra features like alerting you to weak passwords or sites that have been hacked. Password managers can be integrated into your web browser so they will automatically fill in your password for you, so you really don’t need to remember it at all or even know what it is. Most modern web browsers have a built in password manager which is pretty good, but they do need to be set up correctly. Most importantly make sure your passwords are being securely backed up so if something happens to your computer they are not all lost. For a better solution, you may want to look at a dedicated password management service like LastPass, 1Password, or Dashlane. Most browsers and all password managers will generate secure random passwords for you and this is absolutely the best way to make your passwords more secure.