Introduction
If you understood how passwords were cracked, you'd never use a natural-language word in your password again. And, that alone could make you entirely safe. Yes, I'll explain how that could make you safe further along in this article.
I'm taking a bit of an alternate view so we can think differently about what password cracks actually mean, and if passwords are just entirely unusable or not.
Background
All of the Security Geniuses tell you that passwords are a failed technology because so many passwords are cracked. But, why don't they ever clearly explain how passwords are cracked?
There seems to be a Movement that is trying to get rid of passwords that you own.
The Bombastic News
One of the problems is that the news covers low-brow technical issues in a bombastic way ("High-sounding but with little meaning".
Check out this article from today on LinkedIn.
Nearly 10 billion passwords leaked | LinkedIn
10 Billion passwords!? What?
Let's Rip That Article Apart Now, Shall We?
The article states:
"...almost 10 billion unique passwords have been posted to a hacking forum"
That leads you to believe that 10 Billion plaintext passwords ripe for the using have been posted.
However, that cannot be true. Because if it were, then what would the other sentences in the article mean? Especially the last one:
It could enable "brute-force attacks," which use trial and error to rapidly test a large number of passwords and gain access to systems that aren't protected.
Why would attackers need to do "brute-force attacks which use trial and error" when they have the passwords in the clear? Well, that's because they don't.
It is Alarmist reporting. I followed the links to the source article (on qz.com) and that article is even shorter and doesn't explain it at all. So, they did not post 10 Billion plaintext passwords at all.
But you already knew that Journalists do no work at all. They just make up sentences, then other "news" sites pick up the information and repeat it and it provides it with gravitas so the truth is no longer necessary. As long as you have shocking headlines, you win.
The Thing They Never Explain
Often the news reports these kinds of numbers and they report bad passwords, right?
It is obvious that many of those accounts and passwords are just for fake accounts or "pass-by" accounts where users have created a quick account to discover more information about a company or get a free item or whatever.
The Point: Fake Accounts With Bad Passwords
So, even though there are really bad passwords like (password1, abc123) what they don't explain to the reader is that there are millions of accounts created by pass-by users and others created by hackers and those users don't care about the password at all.
Yes, Normal People Create Bad Passwords
Yes, I know, normal people create terrible passwords. However, there is a simple thing they can do to make their passwords safe: Never use a natural-language word in the password.
The Solution
Instead, create a completely random set of characters as your password.
The Problem
Normal users would have no way to remember a set of random characters.
Obviously, that can be solved by forcing the user to use a Password Manager which generates random passwords.
The Weird Solution: Hamster Method
Here's a way to make a normal user's accounts almost entirely safe. Please chime in and comment below to argue why this might not be true.
Here are the steps:
- Create one random password for the user's main email account by having a hamster run across the keyboard.
- I just dropped my hamster on my keyboard and got : adgy788t6ops;ldfkyudt621@DCG32#@&
- Use this one for her master password on her email account. That way her main email account is protected with a random strong password.
- Write this down and keep in a sealed lock box -- at some point the user will have it memorized
- After that, every time the user creates a new account she should drop the hamster on the keyboard again and generate a password, but for these accounts they do not need to be written down anywhere? What?
- Each time the user goes to sign into any of the other accounts she will always simply say, "oh, I don't know my password, please reset the account" sent to her main email account.
- She will retrieve the reset from the main email account and login
- Now there is only one Main password to remember / use and the other ones will all just be reset every time. Isn't this GENIUS?!
My point is: If No One Knows Your Password (including you), It's Secure
My Real Point Is : Random!
My real point is that passwords must be random so they cannot be guessed.
But, to better state that point, I'd like to say this:
Passwords ust not include any pattern that someone can detect as a pattern.
That's true random.
How Crackers Crack Passwords
People seem to forget how crackers actually crack the passwords.
Ignore PlainText Storage
Let's ignore the companies which are storing your password in plaintext, ok? Do they still exist? I hope not. If they do then you are toast. No getting around that. Crackers going to crack and they going to get a password trove that is in plaintext.
Generate All The Hashes & Compare
The real way that crackers get passwords is:
Write an algorithm which hashes suspected passwords and password phrases to generate a huge database of hashes
Compare those hashes to what they find in the trove they exfilitrate from a company.
That's it!
Think About The Size of SHA256 Hash
So, 256-bit value is the value of 2^256.
The max value is :
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,935
Let's refer to that number as HUGE-NUMBER.
Reach In Bag, Pull One Random Item Out
Think about this experiment.
- Reach into a bag (without looking) which contains HUGE-NUMBER of items and randomly pull one item out.
- Throw the item back into the bag with the rest of HUGE-NUMBER items.
- Reach in a second time (without looking) and attempt to randomly pull the same one out again. Theoretically impossible!
Why does this matter?
This matters because any unique input will produce a new and unique output. At this point there are no collisions known in the SHA256 algorithm.
Why does any of this matter?
It matters, because we are going to use a SHA256 hash as our password.
Why? Because the SHA256 value is random. It's the equivalent of having a hamster run over your keyboard and create a password.
But How Are SHA256 Hashes Generated?
Well, we don't have to know how the dark details of the SHA256 algorithm work exactly, but we do need to know how to generate one.
We can use libraries which contain the SHA256 algorithm to generate SHA256 hashes.
Microsoft provides such a library and you can get to it via PowerShell
PowerShell Script to Create SHA256 From Any Text
param (
[string]$target = $(Read-Host)
)
$stringAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($stringAsStream)
$writer.write($target)
$writer.Flush()
$stringAsStream.Position = 0
$outHash = Get-FileHash -InputStream $stringAsStream | Select-Object Hash
$outHash.hash.ToLower()
- First we read in a string value provided by the user ($target) at the command line.
- Next, we set up a StringStream and set the value to the user-supplied string ($target)
- Next, we call Get-FileHash (generates SHA256) and pass the user-supplied string to it
- Finally, we lowercase the hash just for consistency.
Here are some words that I've hashed for you. I ran this on my Ubuntu 22.04.4 system.
64 Characters Long
The hashes are 64 characters long, because each of the 32 bytes (256 bits / 8 bits = number of bytes = 32) are represented by a 2 char Hexadecimal value.
Get the source (at the top this article) and you can try it too.
Here's a list of random words and their SHA256 hashes.
My Suggestion Is One I Use
My suggestion is that instead of making up a password again, you instead generate a SHA256 hash and use that as your password.
Couldn't A Cracker Generate The Same Hash?
But, wait, can't someone just use the same words I used to generate a SHA256 hash and then compare their hash to mine and then know what my password is?
Well, not really. Here's why.
Make Your Hash Salty
First of all you'd need to use two pieces of data in your hash so you could create very random hashes.
In order to make it more difficult (or theoretically impossible) for someone to get our original value, we need to add a 2nd value to our initial input. This 2nd value is called a salt.
Salt: Additional Word Or Phrase
For example we could create an additional word or phrase that we would append to every input that we will hash.
Here's all of the previous words with their associated hashes after adding the same salt to each one.
See how different the hashes are now? They're not guessable by any means. If they were then SHA256 hash algorithm would be cracked.
Keep That Salt Secret
But, you have to keep that salt secret. If it gets out then the cracker can generate all the words in the dictionary and hash them and then brute-force compare them all to the trove of SHA256 hashes that are in the 10 Billion password vault.
What You Really Need Is A Program To Do This For You
I just so happen to have written such a program and it is FOSS (Fully Open Source Software) and it is FREE forever.
That means:
- You can try it for FREE
- You can use it for FREE
- You can examine and alter the software all you want...for FREE
- Try It For Free
- You can try it, right now in your browser if you want.
Just go to C'YaPass : Never type a password again and you'll see something like the following:
SiteKeys: Add Your Own
Of course, you won't have any siteKeys, but you can add them.
There are two parts to generating your password.
- The SiteKey - unique string you make up to remember which site you'll use this pwd on.
- A pattern you draw which generates a value - this is the salt to randomize the SHA256 hash
Finally, the value in at the lower right of the screen is a 64 character password (SHA256 hash) you can use on the site.
Your Passwords Aren't Stored Anywhere, They're Generated Every Time
This is cutting edge technology because your passwords are never stored anywhere.
To generate your password, you have to:
- Select your SiteKey
- Draw your pattern
You Only Need One Pattern
Because the pattern is the salt, each time you change your sitekey (select a different one on the left side) you will get a new password for the associated site. So you don't have to change the pattern for every sitekey.
Your Passwords Will Not Be Based On Natural-Language Words
This means your passwords will be random numbers and characters. They will not be in cracker's rainbow tables as targets to match.
Sites Will Hash Your Hash
When you use these hashes as your password, the sites you log into will then hash it to save it on their site which is interesting too.
But, I've added another layer of protection.
Multi-Hash: Hash Your Hash Numerous Times
Take a look at the updated C'YaPass and you'll see I've added the ability for you to hash the initial value X number of times (selectable by you). See the red highlighted section. If you change that value, then all of your hashes will be hashed X (10 in the example) extra times.
Conclusion
- If you wanted really strong passwords, you would never use natural-language words in your passwords. EVER!
- It seems that Password Problems are being reported on improperly to gain attention and to scare people for some reason. Passwords are fine and you own them yourself. But, they should never include words from natural-language. NEVER!
- The reported password breach of 10 Billion passwords is obviously reported improperly. Those are not plaintext passwords but instead are (most likely) hashes of passwords which, if they include natural-language words the crackers may be able to use after brute-forcing their algorithm to generate SHA256 hash matches. That's the real password cracking technology today: hash matching.
Hash Matching
Since hash matching is the real way crackers are cracking passwords then it means you understand better what crackers are doing. Since you understand it better, you undersand you NEVER want to have natural-language words in your passwords.
To protect yourself, use a password generator which generates random passwords.
If you liked this article, check out my github sources for C'YaPass:
Web based solution - (also seen at https://cyapass.com/js/cya.htm)
ElectronJS (cross-platform solution) - runs on macOs, Windows, Linux
And don't believe everything you read about passwords. 🤓
Top comments (1)
Thank you for writing this article; I found it interesting and enjoyed reading it, especially in regards to how the media is portraying these leaks.
However, the article does not mention the availability of 2FA/MFA or passkeys. While SIM swapping can still occur, using a hardware security key like a Yubikey is one of the best solutions. It makes brute-forcing your password much more difficult, as an attacker would need your 2FA security code or access to your hardware device in addition to the password. For most people, passkeys are a great option as well as they eliminate the need for passwords entirely, assuming that the device generating the passkeys are properly secured.
I appreciate you making your code open source, but this approach could be risky for several reasons. If a site is generating passwords, there is potential for them to be stored. Even if the code is open source, the code running on the site may not match the repository code.
Additionally, as this is a small project with only one contributor, it raises concerns. Linus's Law states, 'Given enough eyeballs, all bugs are shallow,' so a solo project may not get sufficient scrutiny. There's also the risk of the application being discontinued or becoming incompatible with future operating system versions. For something as critical as a password manager, I prefer a widely used and tested solution, such as KeePass. KeePass is also open source and free, and it supports using a key file or hardware key to access the password database.