For the password to remain only your secret, it is usually enough to follow three simple rules. Not to try to come up with short easy-to-remember passwords, do not use the same password for different sites, do not enter passwords on computers you can't trust. I like the method of Bruce Schneider, expert and author of books on information security and cryptography. It suggests using sentences that turn into a password. For example, "This little piggy went to market" can do something like "tlpWENT2m". A nine-character password that will not be in any dictionary.
Actually the nine character password also be used in a dictionary by adding some rules of combination. The whole content from wikipedia can be downloaded and added all to a dictionary. Even social media posts and comments can be scrapped and used in a dictionary.
Well your password, however strong it is as weak as any webservice's security and password handling capabilities. If they use a http site to transfer your password and do like what twitter did in logging the password before encrypting it, or worse just save it as it is on their server then you are doomed.
So the first rule is USE HTTPS EVERYWHERE EXTENTION AND NEVER USE THE SAME PASSWORD ON DIFFERENT SITES.
Reading this article reminds me of the recent breach of Twitter (although I believe the passwords were properly hashed but the deciphering key was compromised?!)
hehe yeah, it was the reason I wrote this article.
No in hashing is no deciphering key. A deciphering key only exists in encryption systems that work on both sites, but as explained you only can hash plain to hash. Hash to plain is not possible, therefor no deciphering exists in hashing.
The problem with twitter was, that they are logged the password before they hashed it.
Like this:
User enters password as plaintext -> send to twitter server -> LOGGED PASSWORD as plain (they should not do that) -> hashed the password -> notify the user if password was correct or not.
Thank you very much for the detailed explanation, now I understand exactly what happened at Twitter.
BTW that reminds me that I should change my password there ASAP :)
I use LastPass to remember my passwords because I sign up at so many sites everyday and I can't use same password for each one of them plus I need to be very strong, so it does the job for me.
I always try to read your writing, but today's writing is more helpful than the other day. Because the password is the key to online security. Hopefully the text will be useful for everyone
@creativeidea says, My Friends! @rockz Thank you so much for informing everyone by posting Password Help. Often password hacking is heard so everyone should use the complex word password.
wow like really it important information i have heard for the first time
Even if now an attacker or employee steals the password database its useless for them since they cant generate the passwords from the hashes.
like really ??
Yeah, the only way an attacker has to obtain the password is to hash and check it character by character.
This is called brutforce attack. And this needs a lot of computing power. You can check here how long it would take to bruteforce your password approx.: https://howsecureismypassword.net/
Yeah hashing also plays a huge part in blockchain tech.
For example you can generate a public key from a private key but never vice versa. Otherwise all wallets could be hacked. :)
Hash is appropriate, but maybe in future we'll see more security implemented like OTP, Fingerprints, Biometrics, etc etc clubbed with eachother for more security.
For the password to remain only your secret, it is usually enough to follow three simple rules. Not to try to come up with short easy-to-remember passwords, do not use the same password for different sites, do not enter passwords on computers you can't trust. I like the method of Bruce Schneider, expert and author of books on information security and cryptography. It suggests using sentences that turn into a password. For example, "This little piggy went to market" can do something like "tlpWENT2m". A nine-character password that will not be in any dictionary.
Actually the nine character password also be used in a dictionary by adding some rules of combination. The whole content from wikipedia can be downloaded and added all to a dictionary. Even social media posts and comments can be scrapped and used in a dictionary.
thats true and scary AF
Well your password, however strong it is as weak as any webservice's security and password handling capabilities. If they use a http site to transfer your password and do like what twitter did in logging the password before encrypting it, or worse just save it as it is on their server then you are doomed.
So the first rule is USE HTTPS EVERYWHERE EXTENTION AND NEVER USE THE SAME PASSWORD ON DIFFERENT SITES.
Reading this article reminds me of the recent breach of Twitter (although I believe the passwords were properly hashed but the deciphering key was compromised?!)
hehe yeah, it was the reason I wrote this article.
No in hashing is no deciphering key. A deciphering key only exists in encryption systems that work on both sites, but as explained you only can hash plain to hash. Hash to plain is not possible, therefor no deciphering exists in hashing.
The problem with twitter was, that they are logged the password before they hashed it.
Like this:
User enters password as plaintext -> send to twitter server -> LOGGED PASSWORD as plain (they should not do that) -> hashed the password -> notify the user if password was correct or not.
Thank you very much for the detailed explanation, now I understand exactly what happened at Twitter.
BTW that reminds me that I should change my password there ASAP :)
I always forget my passwords:(
hehe try using https://keepassxc.org/
This should help you! :)
I use LastPass to remember my passwords because I sign up at so many sites everyday and I can't use same password for each one of them plus I need to be very strong, so it does the job for me.
I always try to read your writing, but today's writing is more helpful than the other day. Because the password is the key to online security. Hopefully the text will be useful for everyone
@creativeidea says, My Friends! @rockz Thank you so much for informing everyone by posting Password Help. Often password hacking is heard so everyone should use the complex word password.
wow like really it important information i have heard for the first time
Even if now an attacker or employee steals the password database its useless for them since they cant generate the passwords from the hashes.
like really ??
Yeah, the only way an attacker has to obtain the password is to hash and check it character by character.
This is called brutforce attack. And this needs a lot of computing power. You can check here how long it would take to bruteforce your password approx.: https://howsecureismypassword.net/
ohh ok thanks :)
great and helpfull post
Ah isn't this concept the bedrock of blockchain technology too? SHA256 seems to lit some of my lightbulbs.
Yeah hashing also plays a huge part in blockchain tech.
For example you can generate a public key from a private key but never vice versa. Otherwise all wallets could be hacked. :)
Hash is appropriate, but maybe in future we'll see more security implemented like OTP, Fingerprints, Biometrics, etc etc clubbed with eachother for more security.
The original can also be like this, learning