Date First Published: 27th June 2022
Subtopic: Security Mechanisms & Technologies
Difficulty Level: 1/10
Learn more about what a password is in this article.
A password is a secret string of characters that is used to authenticate a user before signing in. Passwords are used in combination with usernames or email addresses as a security feature. For example, when signing into a social media account, people will be asked to enter their email address and their password, to verify that it is them signing in. Because passwords are private information, they are by default, unreadable and hidden by dots. This is to ensure that no one looking over someone's shoulder can see the password. Passwords can be used for purposes other than logging into websites. They can be used to log into ATMs, computer operating systems, mobile phones, etc.
A longer password that contains a sequence of words or sentences, separated by spaces is known as a passphrase.
A strong password is one that is difficult to crack or guess. A good example of a strong password that is memorable is an abbreviation of a phrase (e.g. 'how to stay safe online' will become 'h0wtost4ys4fe0nl1n3'.) Strong passwords reduce the chance of unauthorised access and data breaches. The qualities of a strong password:
Using a mix of letters, numbers and symbols decrease the chance of the password being guessed or brute-forced. This will make the password much more effective and difficult to break. However, also make the password easy to remember. '0nl1&*n3b4n£k1n-g' is an example of an extremely strong password, but it is very difficult to remember and it will be time-consuming to manually type it every time.
If you have trouble remembering passwords, you can consider using a password manager. A password manager is a program that allows users to store their passwords in one safe location so that they do not need to remember them. A password can be set for the password manager to prevent unauthorised users from seeing the credentials.
When hackers try to guess a password, through a brute-force attack, or manually, the first passwords that most hackers try are obvious and easily guessable passwords. Examples include:
A strong password should be at least 8 characters in length. The more characters a password contains, the stronger it is. Avoid using excessively short passwords as these are much easier to guess.
If a website got hacked and the hacker gained access to an account on that website, all other accounts using that same password would also be at risk as the hacker might try the same username and password combination on other sites in the hope of correctly guessing it. That is the reason why it is always best to use a different password for every website and not to reuse passwords.
Whilst passwords provide the minimum layer of security for an account by only allowing access if the correct password is entered and denying access if the password is incorrect, the security of passwords cannot 100% guarantee no unauthorised access. Especially if weak passwords are used and someone performed a brute-force attack, the correct password could be found, allowing a hacker to gain unauthorised access to an account.
For extra security, methods, such as two-factor authentication are used. This may send a verification code as a text message or an email, meaning that even if someone stole the password for a user's account, they would not be able to gain unauthorised access. However, if they had access to the account holder's email address or phone with text messages, they would be able to see the verification code.
Passwords can be stolen by methods other than brute-force attacks or guessing. They can be stolen by phishing attacks and keyloggers. However, this would require user interaction as the user would have to install malware on their computer or fall for a phishing scam.
In order to prevent attackers from continuously guessing passwords and performing brute-force attacks, some websites have functionality that will block users after a certain number of failed attempts by their IP address. The password can also be disabled and require a reset after a certain number of failed attempts (e.g. 10). The password reset email with the new password is sent to the user's email address.
Passwords are stored in databases, such as MySQL databases, which are only accessible to the webmaster. Reputable websites do not store passwords in plaintext. Instead, the string of characters is hashed. It runs through a hash function, such as MD5 or SHA-256. When a user signs in, the password that is typed in is hashed and it is compared with the stored hash. Hashing is when data is converted into a unique string of text with no unhashing algorithm. There is no such thing as hash decryption.
Even if the website was hacked, the hacker would not be able to read any of the stored passwords, since they are hashed.
You have probably heard from multiple sources that you should regularly change your password every six months, every three months, or even every month. The answer is that as long as your password is already strong, not compromised in a data breach, and has not been discovered by someone else, there is no need to regularly change it and you won't achieve anything from regularly changing it to another strong password. If you have already got a strong password for a service or an electronic account, then you can keep it for as long as you use that service, unless it has been compromised or you know that someone has accessed your account without your permission. In that case, you should immediately change it.
Frequently changing your password could also make your passwords less secure. If you keep changing your password, this will often cause you to pick a password very similar to the one you had before, similar to one you use on another account, or you may also pick a weak and easy-to-guess password so that you won't forget it. Using variations of passwords across multiple accounts is risky because if one of them becomes compromised, all the passwords for your other accounts would be easy to guess. Overall, it will make it harder to remember good passwords since you have to remember a new password every couple of months.
The National Cyber Security Centre (NCSC) recommends against automatic password expiry due to the inconvenience to users, and the risk of users choosing very similar passwords to the ones they had before, leading to attackers exploiting this weakness. The NSCS recommends that organisations do not force regular password expiry due to the inconvenience and vulnerabilities associated with regularly expiring passwords. They want administrators to think about alternative and more effective system mechanisms they might implement to detect and prevent unauthorised account use, including limits for failed login attempts and system monitoring tools.
Passwords have been around since the earliest days of computing. The Compatible Time-Sharing System (CTSS), an operating system that was introduced at MIT in 1961, was the first computer system to implement a password login. At that time period, CTSS had a LOGIN command that requested a password from the user. After typing PASSWORD, the system turns off the printing mechanism so that the user can type their password with privacy.
In the early 1970s, a system of storing login passwords in a hashed form was developed by Robert Morris as part of the Unix operating system. Crypt(3), a later version of his algorithm, used a 12-bit salt and a modified form of the DES algorithm 25 times to reduce the risks of dictionary attacks.
If so, it is important that you tell me as soon as possible on this page.