#115 Why Do Strong Passwords Matter?

It is so annoying when you're entering a password and it says you gotta have a certain number of letters, numbers, special characters. Why is that? Today we're going to explain why those strong passwords really matter. Welcome to COPEC Explain Software, the podcast where we make computing intelligible. This week we're talking about strong passwords. What do we mean by that? We mean that you don't just put any word when you create a new password. You're required by most modern websites or apps to put in some special characters, some uppercase letters, some numbers. Why is that so important?

Well, obviously we want to keep our information secure, but nowadays it's really easy to think it doesn't matter because if you forget your password, you'll just be able to reset it, right?

And you also think, well, if I just mess it up three times, then they'll just send me an email and I'll change it again. Or if somebody mistypes it three times, who's trying to guess it, they're going to be locked out. But what happens if the original database that actually contains all your information and all your passwords actually gets hacked or somebody has access to it? We want to make sure that it's not just that front end to accessing the app or the website that's secure, but the password itself and the fundamental way that it's stored. So that if the company that's producing this app or website gets into trouble or gets hacked, your information is still secure and your password is still secure.

So walk me through what a password is originally like and how it gets stored.

When you type your password into a form on a website or in an app, the original version of it, the literal characters we call the clear text or the plain text of the password that gets transmitted over to a server, that's the back end for the app or website that you're accessing there. On the back end, the password is going to go through what's called a secure one way hash function. And before it does even that, it's going to be combined with assault, which is kind of like just some random characters. So your password, along with some random characters, gets mixed together and then put through the secure one way hash function. And understanding the result of the secure one way hash function is key to understanding why strong passwords matter.

So how does the hash function work?

Well, we're not going to get into the details of the type of encryption like algorithms that they use. We did do a previous episode on encryption that I'm going to link to in the show notes, but it's important that you understand what it does in the result. It's one way because the transformation that it does is irreversible. We take the original password combined with the salt, it goes through this hash function, and we get what may appear to you to be a bunch of random characters as a result. But whatever those resulting characters are, there's no way of just looking at them and using some tools or doing any kind of calculations and refiguring out what the original cleartext password was. That's what's really key. So we get a bunch of characters that we end up storing in the database that have no way of telling us what the original cleartext password is unless we run the original cleartext password through the combination with the salt and going through the one way secure hash function and get the same random characters as a result. That's the only way to tell. And that's actually how, when you log in, we check that you're really who you say you are. We take the stuff you typed in the clear text, we combine it with the salt, go through the one way secure hash function, and if those resulting sort of random looking characters are the same as the ones that were stored in the database, then we know you're really who you say you were, that you're really authenticated to be that person. Because only that original password after going through this process would result in those same kind of random looking characters that result from the one way secure hash function. Does that make sense?

Yes. So what happens?

So it's a one way transformation. We take some original clear text password and we end up with something that doesn't resemble it in any way and could only result from that same clear text password. We put a different clear text password in, we will always end up with a result of the one way hash function, resulting in a different set of random text at the end.

What happens if they get access to the hash version?

Right? That's the whole point. They have no way of reversing it and getting the clear text password back. So just having the hashed version doesn't give you enough information to recreate the original password. That's why these are secure one way hash functions. They only go in one direction. And so that's actually a great bit of security. That means if someone gets access to this database, they can actually maybe see that hash, but they can't tell you what that person's password was. And in fact, even the company itself doesn't know what your password is, which.

Is why we have to reset it if you forget it, right?

Any company that's doing their security properly can't actually tell you this is what your password is. Oh, you forgot your password. Let me just call you up and tell you what it is over the phone. They can't do that because the way it's stored, we're only getting this garbled result of this one way secure hash function, and we don't have any idea of any way to reverse it and get back the original password. So that's why the only thing you can do on any modern secure app or website is reset it that way, you're putting in a totally new one. We're going to end up with a totally new hash value that's stored in the database unrelated to the last one. There's no way we can get back the last one. If you forget it, you've truly forgotten it. That's it.

Let's get back to our original question. Why do strong passwords matter?

Okay, so we know now how passwords are stored. They're combined with the salt, go through the one way secure hash function. I've said that like five or six times, but we can go through that really quickly, actually. So taking that original cleartext password, combining it with the salt, and running that one way secure hash function takes a couple of milliseconds. And what we're trying to do is match up that resulting hashed text to something that's in the database. If we get that hashed text, what we could do is just try guessing a ton of different passwords and see if any of them, after going through this process, match that hash text that's in the database. So this is really problematic if you're using a really common password because there are well published lists of what are the million most common passwords, and they can just quickly run all million if they have access to your hashed version and see if any of those million match after being hashed the hashed version that's stored. So that's a way of figure cracking is what it's called. Cracking what your password is, like cracking a safe. In fact, also, if you're just using a common English word, even if it's not a common password, that's also trivial, right? There's only about a million words in the English dictionary, and you can just quickly, on any modern computer, run all of them through the secure hash function and see if they match the hash text. So if you're using a common password or you're using just easy to guess English word, then somebody's just going to be able to, once they have the hash version of your password, to do one of these cracking programs and in a few seconds figure out what your password is. So even though passwords are stored so securely, we still need to use a strong password. We still need to be complex enough that if we tried all the common ones, we wouldn't be able to find that same hash text.

Luckily, we have tools like password managers to keep track of all the strong passwords. We have to make that's right.

Rebecca, I understand you're something of an expert on password manager. So what is a password manager?

So a password manager is just a piece of software or a tool, and there are some that are built into browsers and whole separate pieces of software that hold on to your passwords for you or keep a list of them. And then you only need to remember one password to get into your password manager. And your password manager does all the work of creating a strong password, storing it, and keeping it secure.

So what happens if somebody knows your one password and they happen to get on your computer?

Well, then you're in trouble.

Right? So even that should be a strong password, right? Yes, because they could just guess a ton of different passwords and then get into all of your other strong passwords that it's storing for you. So really important actually that your password for your password manager is a strong password itself.

Yes, we have password managers, but there are some other ways that things are kept secure, like through hardware.

Right. There is something called a hardware key, which is a device that is literally plugged into the machine as you're logging in somewhere and that is really then specific to you and personal to you. And somebody without the hardware device can't log in as you. So that's really secure. I remember these things all the way back to the 1990s. There were some software anti piracy mechanisms that required you to plug in a dongle into your computer in order to use just like off the shelf software. I remember in particular Chefspace, which was this piece of chef software that cost like $200 for the pro versions. Back in the didn't plug in the hardware key, you couldn't use the software. So these things have been around for like 30 years. If you're working a really secure job, you might actually still today have a hardware key. Today it'd be a USB key that you plug in and you have to have that in to get into anything. Of course, there's also two factor authentication. The older version usually goes through a cell phone. Believe it or not, text messages on your cell phone can actually be hacked too. And there's ways of kind of being a man in the middle attack and intercepting your text messages, especially if someone is able to spoof your SIM card. So what's more secure today is to use an authenticator app. And there's free ones from both Apple and Google and there's third party ones as well. Looking forward, apple and Google are both working, I think Microsoft too on technologies to make passwords something of a thing of the past because as we've talked about, you might be using a password manager, but then you still have to remember the password for the password manager. And frankly, it's just a lot today to keep track of. Right? We all are members of hundreds of sites probably on average, and we all have so many different passwords we have to keep track of. And there's actually a future that's envisioned by big tech right now where we don't have to remember almost any passwords and instead we have biometric connections to our devices and then our devices are automatically securely tied just to us and our identity and we don't anymore need to remember literal clear text passwords.

Sounds kind of nice.

Yeah, but until then, make sure you're using strong passwords.

Will do.

All right. Thanks for listening to us this week, Rebecca. How can people get in touch with us on Twitter?

We're at copeck explains K-O-P-E-C-E-X-P-L-A-I-N-S.

Thanks for listening. Thanks for all of our many subscribers. And we'll see you in two weeks. Bye.