Tech Tuesdays: Password Security

522845_45560434There’s a security sin that we’re probably all guilty of…
Using the same password on multiple games/websites.

Databases get compromised in different ways.  The method of attack doesn’t matter.  The important thing is that the attacker has what’s called a hash of your password for that account.

What is a hash?  A hash is the result when your password was put through an encryption algorithm.  When you login somewhere, your password isn’t stored on their server after you send it.  Every time you login, the server takes the password you provide and runs it through this algorithm, then compares it to what’s stored in the database.  If they match, you’re in.

But wait, what if two passwords make the same hash?  This happens!  It’s known as a collision, and you could enter either password and still login.  Fortunately, because of a part of the algorithm called the salt (which SHOULD be unique for every service) a collision on one server isn’t necessarily a collision on another.

Without the salt, it’s really hard for someone to come up with your password just from the hash.  Unfortunately, if they were in a position to steal the user database, chances are they compromised the web server as well and have the salt.

“Well so-and-so on the news said that it would take thousands of hours of computer time to break an 8-character password!”  This is true.  Running through every possible iteration of an 8-character alphanumeric (and symbolic) password would take a really long time.  That’s why hackers broke it up into chunks and had a lot of computers going to town on it and saving the results.  These are known as Rainbow Tables.  An unsalted MD5 hash is already solved.  All a hacker has to do is take the hash and look it up in this table.  Fortunately, modern websites salt their hashes.

Unfortunately, this just means once a hacker has a hash and the salt used to make it, they can use a botnet to have tons of computers chewing on it until they solve it.  They only have to make the table once to solve everyone’s password from that website.

So, let’s say I’m a hacker.  I stole a password from a forum you visit.  I do the stuff I talked about above and get your actual password.  If you used that password on your email that you used to register at the forum, I now have access to your email.  I look in your email and see you play a lot of online games.  Oh, you used the same password for all of those, too, and you don’t use an authenticator.  I’m going to sell your accounts on PlayerAuctions.  I login to Facebook as you since you used the same password there, too.  Oh, you’re going on vacation for the next week?  Great, time enough for the money to clear before you recover your accounts and I disappear into the ether.

Now, not only can I do that, I can automate it so the thousands of people on that forum all have the same thing happening to them.  My script can build a table showing me what it was able to login to using your credentials.  If your bank sends you any emails, well…

So what’s our overall lesson here?  DO NOT REUSE PASSWORDS.  Use a password manager like LastPass or Keepass.  Create a unique password for each site and use the password manager to login to it.  Use authenticators.  Long passwords are better and take longer to break.  U7#21szD is less secure than ILikeToMoveItMoveIt.  Want a really secure password?  Pick a sentence from your favorite book.  “Shereturnedashysmile.” is good enough for most Active Directory security measures.  For the ridiculous ones that make you include a number, either replace a letter with a number (“Sh3returnedashysmile.”) or tack it on somewhere. (“Shereturned0ashysmile.)  Will it take you a bit longer to login?  Yes.  Depending on your typing speed, 5 extra seconds when logging in can save you days of stress and frustration down the road.  Use a different sentence for each account.

Please, take care of your online accounts.

 

Tech Tuesdays are editorial pieces of advice to help you with your gaming rigs/consoles. These are intended to be weekly articles and may be written by any of our staff writers.

Affiliates


SUNDAY, JUNE 25, 2017
Copyright 2012 Beazley Entertainment
All text, images, and other material posted by Video Game Scoreboard administrative staff to the website or the forums are the property of Video Game Scoreboard and cannot be duplicated, republished or retransmitted without the express written permission of the Video Game Scoreboard. All rights reserved.
Submit your scores to:
Video Game Scoreboard
2373 N.W. 185th, Suite 423
Hillsboro, OR 97124

Popup Widget

This is the Popup Widget. Add any widget to the popup widget position, and place anywhere Gantry Popup widget to trigger the RokBox.

You can configure its height and width from the widget settings.

More Information
%d bloggers like this: