Weakest link to strongest link: password to passphrase
posted by Sam Woods on Wednesday, April 28, 2021 in SHAZAM Blog
I continue to read about data breaches that stem from weak passwords. As a cybersecurity consultant, I’ve wondered what it will take to get folks to increase the security of their passwords, and it finally occurred to me: Maybe people don’t understand what a password actually is. If you identify with this, don’t feel bad. I have no idea how to valuate a bond or determine the structural integrity of a bridge.
What’s a password? The dictionary tells us it’s a word that grants us access or admission to something. In computer terms, a password gives a user access to something that’s otherwise off limits.
How passwords work
When you create a password, it’s run through a mathematical function called a hash algorithm. The input is your password — let’s say “summer2021.” The password is typed in and the output is an alphanumeric string with a fixed length. For our example, it’s 32 bytes long. So, no matter how many characters the password has, the output is always the same length. This output is commonly referred to as the “hash.”
Once the hash is created, the system for which the password is being generated saves the hash and your username to a file. Each time you attempt to log in, the system takes what you typed in the password field and runs it through the same hashing algorithm. The information is checked to ensure the output matches what’s saved in the file. If it matches, access is allowed. If it doesn’t match, access is denied (when the system is operating correctly). This all happens very quickly; computers can do something like four billion things per second!
From this explanation, you might see the problem. Bad guys could pre-emptively take every word in the dictionary, run each through the same hashing algorithm, and then compare the hashes to the password file they stole or purchased on the dark web. Remember, computers can process things extremely quickly, so it won’t take long. Once a match is found, they have your password.
Passphrase vs. password
For these reasons, security professionals preach to use passphrases rather than passwords. A passphrase is a series of words, and the additional characters add to the complexity. Of course, this also tells us to use uncommon phrases, as they’re far less likely to be guessed.
Many security experts use this explanation to justify moving to biometrics or realistic authentication. The measurements and calculations of the body, including fingerprints and faces, are stored as data. Once collected, these measurements are run through the hashing algorithm and the output is saved. When you attempt to log in, the two outputs (username and hash) are compared, just as is done with passwords and passphrases.
What if someone steals the hash of your fingerprint measurements? Can you change your fingerprint like you can change a password? The simple answer is no.
In a best-case scenario, systems should use layered security requiring multiple security pieces. This is sometimes referred to as multifactor authentication and requires two things:
- Something you know, like your complex passphrase.
- Something you have, such as a security token or a physical device that creates a new code every few minutes.
As much as we may wish it, passwords aren’t going away anytime soon. Having a better understanding of how they work may help users develop stronger passwords and passphrases, yet in the end, we’re only as strong as our weakest link. Unfortunately, all too often, humans are the weakest link.
Please feel free to share this information with your accountholders.
About the Author
Sam Woods is a member of the risk and security management team, leading a group of consultants in efficient and effective execution of IT, ACH, cybersecurity, and compliance consulting services to our participating financial institutions.
SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney.
comments powered by