Worth it's weight in security ...

Worth it's weight in security ...

With yet another breach in security reported, this time from Adobe (http://www.bbc.co.uk/news/business-24392819), I had the opportunity to bless a small piece of software I use.

Memory feats

Trying to remember all the passwords you need these days to exist online is nigh on impossible. Looking at my list of online accounts, there's over a hundred. This leaves you with a number of choices. You can simply use a limited number of passwords and have the same password for multiple sites. But that has an obvious risk - if someone cracks one website they can immediately access others. Unfortunately this is actually quite common.

Asymmetric algorithms

Snippet you need to understand here - websites don't store your password directly - that would be very dangerous, instead they store an encrypted version known as a hashed password. This is created by putting the original password through an asymmetric mathematical algorithm that transforms the password into an encrypted form. The neat thing about the algorithms they use is that if you reverse it and feed in the encrypted password you don't get the original password back, that's where the asymmetric bit comes into it. So how can this be used to confirm your password is correct if they can't get the original form back? Easy - they just take the password you type in as you login in again, put it through that same, magical, asymmetric mathematical algorithm again and check that the answer that comes out is the same as the one they have on file. If it is then you must have typed in the original password. Thus they can confirm you know the correct password without having to actually know what it is.

Shared passwords

So why did I inflict that on you? There was recently a high profile hack of a website where the hackers posted the login credentials / decrypted password files they stole on a hackers website. Some enterprising people from a reputable website took these files and checked to see if any of their users had used the same login credentials (eg email address). They found quite a lot of matches. Then they took the decrypted passwords and passed it through their own hashing algorithm and checked to see they got any matches. If they did it it would mean that people were using the same password on both their website and the one that got hacked. 20% of the password hashes matched. They reset the passwords on the accounts.

A few years ago that would have been me as well - I simply can't remember 100 different passwords. So how does all of that relate to where we started this story with the Adobe hack? Remember that little piece of software I mentioned? When I got the email from Adobe saying that they'd reset my account and I'd need to create a new password, I went off and looked in my password manager, 1Password, and checked the password it was storing for Adobe. It was a standard password that 1Password had generated for me meaning that it's -

  • completely different from any of my other passwords; and
  • it's a random set of 20 characters (i.e. very difficult to crack).

I just asked 1Password to create a new password and then I walked away knowing that none of my other websites were going to be compromised by this incident.

As the saying goes -

  • Password management software - $39.99
  • Peace of mind - priceless ;-)

Header image: Pixabay.com