blog.

In Part One, I dealt with what makes a good (or bad) password.

In Part Two, I'll talk a little about how passwords should be held behind the scenes. It's the most techie part of the series, but it sets us up nicely for Part Three, so please bear with me!

Most people don't give much thought to what Facebook/The Bank/Bob's Website do to store our passwords behind the scenes. We trust them to do a good job, but what does that mean?

Good websites (such as all ours at Focus, of course!) will never store a password in plain text. Even if my password was "password" - an exceptionally bad choice! - we'd never store in the database:

user: neil
password: password

Instead, we store the password with something sometimes called "one way encryption". In simple terms, it means it's really easy to take "password" and turn it into a seemingly random string like "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" - but it's just about impossible to get from that string back to the original phrase "password". (*)

Then, if a hacker does manage to obtain somehow a list of usernames and passwords from the database, they don't see the password in plain text, but instead see this messy string - and there's no way to get the string back to "password" again.

When you login to the site, we (roughly speaking) take the string you've entered, use one-way-encryption to turn it into the messy string, and see if that matches what's in the database - if it does, then we've verified your password is correct without needing to ever store your password. (Clever!)

So, back to our example, say a hacker does obtain a list of encrypted passwords. We know they can't turn them back into password - BUT - if they know the method we're using to turn passwords into encrypted ones, they can try guessing passwords one at a time, encrypting them, and seeing if they match what's in the database. If it does, they've guessed your password.

This is a good reason you shouldn't use a common password; a hacker can (if they obtain one of the lists above), run a dictionary of common passwords through this method, and probably find some passwords quite quickly.

If your password is a good secure password, they will have to use "brute force", which is the password equivalent of trying to open a combination padlock by trying 111, 112, 113, 114, 115, etc. If your password is long, the hope is that it will take an incredibly long amount of time to break it.

If your password is upper and lower case letters, numbers and common symbols, and 8 characters long, it could take up to 23 years for a computer to "brute force" it, working 24x7x365 (**). Hopefully, you'll have changed it by then!

Now we know a little bit about how passwords are stored, in Part Three, we can draw some conclusions, spot bad websites, and learn why you shouldn't use the same password on different sites.

(*) Note for extreme techies: that's a SHA256 hash of password, which is simpler than I'd recommend using in real life.

(**) Source: http://www.lockdown.co.uk/?pg=combi