While Two-factor Authentication is an important tool in keeping your accounts secure, it should definitely be used with good passwords.  News of a digital break-in is usually accompanied by advice to change your password, not only on the compromised site but on any others where you may use the same password. As I’ll explain below, the connection between sites isn’t some sort of collusion; it arises naturally from the science and technology of encryption. And while encryption relies on some complex math to work, a useful understanding can be gained with no math at all.

One-Way Encryption

Encryption manipulates data so it is no longer recognizable. Some encryption is reversible (so you can get back the original data with more processing) and some is one-way (you cannot decrypt the encrypted data). One-way algorithms are sometimes called meat grinder algorithms; hamburger may be tasty but you can’t make a steak out of it.

Among other advantages of such an algorithm is that it can be quite fast and, rather obviously, fairly secure. A common use of one-way encryption is hashing. Not to be confused with hashtags in social media, in computer science a hash is a short, fairly unique representation of another, usually larger, piece of data.

A very simple hash might just add up the parts of the input to produce a single number as the output. If we say A is 1, B is 2, etc. then to hash “ABC” we add 1 + 2 + 3 = 6. Notice that if we hash “BD” we also get 6 (2 + 4). I said that the hash value is “fairly unique” and while more complex hashes are better than this, there is always the possibility of a collision, two items that hash to the same value.

One-way encryption is useful when you want to know if two things are (likely) the same without being concerned with what those things actually are and this makes it really useful for storing passwords. When you set your password, the system hashes it and stores the result. Later, when you try to log in, the system hashes what you type and compares it to the stored hash. If the hashes match, you’re in. The better the hashing algorithm, the lower the chance of collisions, and the more certain the system can be that you supplied the same password.

Rule 1: If a website or system can tell you your password when you forget it, it isn’t storing it properly. Treat that system as if it is open and has no passwords. Better yet, don’t use that system.

Most hash functions can hash any size input and produce a hash with a uniform size. For example, SHA1 (Secure Hash Algorithm 1) always creates a 20-byte output. This makes the comparison of hashes quick and easy while still minimizing collisions. (You’d have to try roughly one septillion (1 followed by 24 zeros) random strings before finding a collision.) But because a hash function is fairly fast and can accept any size input, your password can be quite long.

On the other hand, some systems arbitrarily limit the length of your password (or, worse, ignore anything after a certain length). If the limit is eight characters, “abcd1234$” and “abcd1234@” hash to the same value and are, essentially, the same password.

Rule 2: If a website or system has an upper limit on how long your password can be, it doesn’t really take security seriously. Complain, be cautious, and consider using another system if you have options.

You’ve no doubt experienced forgetting or flubbing your password and getting locked out of a system after a few tries. That might make you ask, “Who cares if one in a gazillion inputs hash the same as my password; the bad guys can only guess three times.” That would be true if the bad guys were trying to log in the way you do. But what they actually do is break into the computer (there are various ways) and steal the list of user names and hashed passwords. Each item in that list looks something like:

With that data on their computer, the bad guys can guess a password, generate the hash (remember that’s fast), and compare it against the hash they stole. If it doesn’t match, they guess another. If it does match, they have something that is as good as your password, even if it is really just the result of a hash collision. They can go to the system, enter your user name and their guessed password, and then access your account in one step with no risk of lock out. (This is why some systems will alert you to a new log in to your account. If you know it wasn’t you, you can start to take steps to recover.)

Rule 3: If the system has a feature to notify you of new logins, enable it. It won’t prevent a breakin but it may allow you to minimize the damage.

I have five or six different accounts for my job. I use some of them daily and some only monthly. And don’t get me started on listing my personal passwords: my bank, car insurance, health insurance, cell phone carrier, social media, online shopping, etc. There is a temptation to use the same password on all the systems so I don’t have to remember so many but if any of those systems get compromised and the bad guys guess my password, they can at least try that password on other systems with some chance of success.

The problem is this: encryption is hard. It’s a truism in software that you should never try to develop your own security software. As a result, the most secure, well-managed systems use one of several reliable methods to hash and store passwords and the hash of your password on one site may very well match the hash on another.

Rule 4: Use a different password on every system, at least every important system. I’m not sure how much I’d care if someone used my Netflix or Spotify account.

You may wonder what “guess a password” means? First, security researchers have compiled lists of common passwords and bad guys will start with those and hope they get lucky. Second, passwords are often made of a few words and a few digits like “pizzalover12” or “bestgrandma2007.” Here linguists have helped the bad guys by compiling lists of common English words; you are much more likely to incorporate “zoo” than “xeric” in your password.

Rule 5: Avoid common words and phrases in your passwords.

Common passwords are common because they are easy to remember and/or type. Common words are easy to type because they are used frequently. So how do you remember many unique, uncommon passwords and not mistype them so often you lock yourself out? My best advice is don’t remember them and don’t type them.

In the Google software ecosystem, the Chrome browser and the Android operating system have features to suggest “strong” passwords, remember them for you, and fill them in when you visit a site or use an app again. This does mean that if Google is ever compromised all of your passwords are exposed at one time (though I hope and assume they use strong two-way encryption to store them).

A Google solution doesn’t help much if you use Firefox and Android or Chrome and an iPhone or some other combination of products. There are password manager programs for computers and phones (some free, some paid) that give you independence from a specific supplier. Some store your list of sites, user names, and passwords on your own computer or phone so you control it. I have used KeePass for years for just this reason.

Rule 6: Use a password manager to store your various passwords.

So now you know why you need long, unique passwords on all the systems you use. Go get yourself a password manager and start using it.

Resources

KeePass: https://keepass.info/download.html (includes links to compatible Android and iPhone apps)

PC Magazine’s roundup of the best password managers: https://www.pcmag.com/roundup/300318/the-best-password-managers