I’m going to tell you the four things you need to know about cyber security. Read this and you’ll be more knowledgeable on the subject than most in the general population, and a lot of people in the cyber security field, too, for that matter. The first one gets a little deep, but you can skip over the hard part as long as you read the conclusion.
What really matters with passwords is their length.
You want to be using 15-character or longer passwords. Sure, upper-case, lower-case, numbers, special characters, whatever. What matters most , though, is length, and here’s why.
When you change your password on a site — like your bank account, for instance — the site doesn’t store your password to check your future log-ins against. It stores the SHA-256 hash code of your password. SHA-256 is a mathematical algorithm that generates a 256-bit code from any string of bytes, whether it be text, or a Word or .pdf document, or a picture. That 256 bits is normally represented in hexadecimal, a base-sixteen system with the digits 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. That gives a sixty-four-digit hex number like this one, which is the SHA-256 hash code for my name:
The important things about that number are that 1) you can’t process it backwards, and 2) its size. You cannot process that number to get back “Richard F. Weyand”. It’s not completely impossible, but it is practically impossible. As for its size, 256 bits is a number space so big, if you gave a unique 256-bit serial number to every neutron, proton, and electron in the Milky Way galaxy, you could do that a million times, and still only use half the numbers. That means any given SHA-256 hash code matches only one thing, the input it was generated from. That hash code above will only match my name, ever.
For example, if you wrote a screenplay, and published the SHA-256 hashcode of the screenplay together with your name in a classified in the New York Times, you would be able to prove that screenplay was yours. Period. Send it out to all the movie studios you want. If they rip it off, you’ll be able to prove in court that the original screenplay was yours.
So the site you type your new password into stores the SHA-256 hash code of the new password. When you log in again later, it generates an SHA-256 hash code of the password you type in, and compares it to the one on file for your account. If they match, you’re in. This means that no one can hack the bank, steal the hash codes, and use them to log in. Way cool.
With one caveat. What the bad guys are doing is calculating the SHA-256 hash codes for every possible password, and using that to create an SHA-256 lookup table. If they hack the bank and get the password hash code values, they can use their lookup table to convert the SHA-256 hash code back to the passwords. Ouch.
Here now, finally, is why length of the passwords is the only thing that matters. If you take the fifty-two upper-case and lower-case characters, ten numeric digits, and eight allowed special characters, that means there are seventy possibilities for each digit in a password. So there are 70 possible one-digit passwords, 4900 two-digit passwords, 343,000 three-digit passwords, and so on. But there are 4.75 x 10^27, or 4,750 trillion trillion, fifteen-digit passwords. You see, the table the bad guys need gets seventy times bigger for each extra digit.
So use at least fifteen-digit passwords. Other people at the same bank may be hacked if the bank’s password hash code values get stolen, but you won’t be.
It’s easy to generate a long password you can remember.
Pick some topic you’re not known for. If you’re a car buff, pick food, for example. If you’re a food buff, maybe pick movies. Think of your two favorites, like your two favorite car brands, or your two favorite movies, or your two favorite foods. Let’s say I pick the two main characters in Hamlet, other than Hamlet himself — his mother and his love, Gertrude and Ophelia.
Write them together: GertudeOphelia. Now reverse one or the other: GertrudeailehpO. Misspell one: GertoodeailehpO. Now add a number somewhere in the middle: Ger0troodeailehpO. Maybe they make you have a special character: Ger0troode^ailehpO.
There ya go. An eighteen-digit password you can remember. And when they ask you to change the password after ninety days, just index the number you put in, to 1, 2, 3, etc. After 9, just keep going with two digits. At some point, you’ll be at Ger27troode^ailehpO, for example.
Use a different password for every website.
This one’s a killer, but I have a way out.
The issue is that some website may store your password in the clear, instead of storing the SHA-256 hash code. Such a sloppily run site will probably also get hacked. Don’t use your bank or brokerage password for your city water bill account! If they hack the city’s water company website (and how secure do you think government-run sites are?), they’ve got your bank account.
There are about two hundred websites where I have an account. That’s pretty easy to do if you have a lot of interests and are a joiner. Does that mean I actually have two hundred fifteen-digit passwords? Yup, it sure does. I manage them all with a password manager. I use LogMeOnce. I log into LogMeOnce, and it manages the rest. Now I just have to remember that one password. Yeah, it was fifty bucks for five years. Meh.
Cyber security issues arise not because we need more tools, but because we don’t use the ones we have.
I was at a conference where a cyber security guy said any time he goes into a new client, the first thing he does is try to login with the default account and password the machine ships with. He gets in more than half the time. Every machine — computer, network router, whatever — ships with a default account, like username: admin, password: 123456. You need that account to get into the machine the first time when you’re setting it up. And that account has administrator privileges. It has to, so you can set up the machine. But you’re supposed to change it, right off! And often people don’t.
Another tale from the same guy. He went into a government agency. They had a lot of money to buy new cyber security stuff, to tighten up their security. He found out that all of the employees at the site were using the same account and password, because it was easier than everybody having their own. Someone would have to go in and set up all those user accounts, and they were too lazy to do it. Yikes!
So use the tools you have: long passwords, and a different password for every site. Get a password manager if you need to. There are free ones out there if you’re strapped for cash.
But if you use the smallest password you can get away with, and use the same one at every site, don’t blame me when your bank account balances and stock investments disappear, and your credit cards get maxed out by some hacker in China or Ukraine.