Hands on a laptop's keboard that shows a pasword-hacking-leaking

I am sure you have heard everywhere about using different passwords for each website. I am also sure you’ve heard about data leaks, password hacking etc. But what does it mean? How exactly is your password protected? And how complicated is it to hack a password?

What is password leaking/hacking?

So let’s start with the password leaking/hacking. General rule of thumb of cybersecurity is to never  store passwords in plain text – it is extremely bad practice, really dangerous and will always result in data leak. Basically, if your password is ‘Password’ it has been stored somewhere on the system as ‘Password’ for everyone to see. If that’s the case (and you would be surprised to see how often this happens) if you have used the same password with different provider, it would be very easy to access your account.

How can your password get hacked?

How this is mitigated then? Normally, systems (be it internet, be it local) would use something called ‘cryptographic hash’ function to store the passwords. In the nutshell it is a mathematical algorithm that turns (maps) the string of data (called message) of any length into a fixed size bit string  (called hash value or message digest’) – it is also a one-way function. There are multiple different algorithms (functions) ranging from simple and easy to break  to much more complicated and stronger.

 For example :

               Number 1 hashed by MD5 functions is                   : C4CA4238A0B923820DCC509A6F75849B

               Word Password hashed by MD5 function is          : DC647EB65E6711E155375218212B3964

               Word password hashed by MD5 function is          : 5F4DCC3B5AA765D61D8327DEB882CF99

               This whole post hashed by MD5 function is          : 97687809E35724253A2448216D9A2447

However, word Password if hashed with MD5 will always look the same – but note that changing even one letter changes the hash as with the second example and word password (no capital letters)

What happens when you type your password into the online form is a simple function that takes the typed letters (say Password) turns it into DC647EB65E6711E155375218212B3964 and compares with the database if it matches value saved against your username if its DC647EB65E6711E155375218212B3964 it will allow you to access the service.

Returning to the hacking/data leak – if a providers database of passwords saved on their system leaks out in essence it is a list of the usernames (say someperson@gmail.com ) and corresponding password hashes – for example someprson@gmail.com / DC647EB65E6711E155375218212B3964 .

Now the real problem starts there are multiple databases that took every single word in a dictionary and created hashes of it using different algorithms so if your password of choice is Password from our example it will take seconds to find what is it.

A gloved hand reaching out through a laptop with common media icons flowing, signifying a cybercrime or Internet theft while using various Internet media, hacking passwords
A gloved hand reaching out through a laptop with common media icons flowing, signifying a cybercrime or Internet theft while using various Internet media.

What’s the solution?

In simplest form – create a unique string of characters, capital and lower case letters, numbers and special characters. Make it long – the longer the better. Reason for such a password is this – if the word is not a dictionary word the only way to break it (aka find its corresponding hash) is to brute force it which is a method of generating hashes going from single number 1 or single letter A to a long string using every possible combination of letters, numbers, and special characters. High quality system nowadays can go thru about 17 million combinations in a second – the longer the password, the more complicated it is, the more different characters it has it will take longer.

For example –  password consisting of 01051979 would  take over 10 years to break in 1982 and same code would take 1 day in 2020. Check here the estimating time to crack a password.

So there you go – Why not to re-use passwords and why to create long, random strings!

Stay safe!

Find out how you can stay protected online! Ask for a quote on Cyber Liability Insurance through First Ireland’s website or call us at 01 882 0872