How Passwords Work (And Don't)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today I hope to illuminate some common misconceptions about passwords, what they really mean, and how they can be/are used.  As always, I'll try to keep it simple, but some of the rules are a little wonky if you don't already know them.  Just stay with me, I'll do my best to help!

First, let's start with what most folks already know.  If a website or program wants to make sure you are who you claim to be, it asks for a password.  This works because when we keep passwords in our head, and hard to guess, only the person who made the password should be able to guess it right.

Quite a few folks (I believe the last estimate was nearly three quarters of all computer users) have already made a mistake.  If you have sticky notes or a notepad with a login and password on or near your computer, but still used a long and complicated password, you're fairly safe from internet-based attacks.  If someone goes rifling through your computer room, though, or if they grab it during a break-in, or snatch it from your purse/wallet, they have absolute access.  If you have a really easy password to make sure that you don't forget it, you're still at risk from pretty much anybody who wants into your account.

Another easy mistake to make is to use the same login name and password on multiple sites.  Facebook, myspace, grooveshark, pandora, twitter, google, banks, cable, internet, phone, water, electricity... there are a lot of places that use names and passwords!  And if you use the same login name and password for all of them, when one gets compromised the attacker will have your login information for every last one of them.  More on this further down, but for now, back to passwords themselves.

When someone doesn't know your password, there's a huge number of ways that they can still manage to get into your account.  If your password is short, they can try a method called 'brute-force', which is exactly what it sounds like: they start off at 'a', and then go to 'b', and then 'c'... and on and on, until something works or they give up.  If your password is short, they'll most likely guess it even if it's complicated.  If it's long, brute force will take a long time to get there, or won't get there at all.

The next type of attack is called 'dictionary', and is essentially when the attacker starts off with a long list of common words (it's easy to use all the words in a large dictionary as a starting point, then add in names for city, state, roads, sports teams, and all sorts of other things) and goes through one at a time guessing with them.  Most dictionary attacks also combine words, so they'll get 'redwalls' the same way they'll get 'red' and 'walls'.

The first two methods, as described above, work even when the attacker doesn't know anything about you.  But what if you use a long password with things like your date of birth, SSN, telephone number, pet's name, or things like that?  While not exactly sophisticated, 'guessing' is a form of attack as well, and the better you know your target, the more likely you are to succeed.  You should never use personal information that you don't want shared with the world as part of your login name or password (either of them!), as they significantly reduce the number of different things your password could be.  Why not your login name, either?  Well, take this as food for thought: a quick search for leaked data shows that it happens all the time, even to big-name companies!  If an attacker can link your login name to you, they get whatever you used as your password, name, and anything else you entered for free!

Alright, so a login name and password that you can keep in your head, but neither points back to you, and your password should be long and complex?  That is a lot to handle (even for technical folks)!  Fortunately, there are tricks and tools that make this easier while still being safe.  If you use a modern browser, you may have had it ask to remember your password.  I have not, and will never trust this functionality.  It's too easy to have someone borrow your computer for just a second, and even if you logged out to be safe, they just press OK and are logged back in!  However, modern browsers also have better features, like Firefox's Master Password feature.  It goes hand-in-hand with the functionality that remembers your login details, but instead of just handing them out like candy, it asks for a password before it gives them out.

What if you just have to write down things or you'll forget?  I actually fall into this category, so I can help you along with that, too.  There are stand-alone, open-source programs like KeePass that will store all of your login names and passwords behind a single password.  If you can choose and commit one really good password to memory, this will handle all the rest!  When choosing one of these programs, though, make sure it comes from a reputable source that you know and trust, and it's usually good to have security software be open source so then people who actually care about that kind of thing (programmers like me!) can tattle on programs that try to steal your information, or just plain don't work.

In the end, passwords and such go way deeper than this, but those details are mostly for people who make the security for web sites and programs that take logins.  This post is already super-long, so I'll safe nifty ways of making random-but-memorizable passwords (or super-secure random passwords) for a later post.  As always, questions, details, clarifications and such should go in comments.  Thanks for reading!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFNiB7vdzdg8zBNoIARAljuAJwN6a8833Nquclr9BH76qq6aMnCBQCgmI8R
cmrzCVQsHv3++9Y+lZcQ9wA=
=JDxf
-----END PGP SIGNATURE-----