The Password Is Password

The science/tech segments I do on TV are interesting to produce. I have to research them because I usually start clueless! Two stories this week are especially good examples.

Monday’s story was on telescopes that see better than Hubble. What I thought I knew was wrong. Technology recently turned true-to-false!

The story for Wednesday I didn’t understand at all. I do now.

Consider this my extra credit report. I learned more than would fit in a short TV story.

Topic: passwords.

You’re usually pretty good with your passwords. You keep them reasonably well hidden and protected. You’re not attacked as often as the big guys.

Business aren’t as lucky. Crooks break into busy computers and steal the passwords on a regular basis. It just happened to LinkedIn.

I thought passwords were encrypted. Nope.

Think of encryption as putting your password in a safe. No one can see in, but your password is there. If you need it you can unlock the safe and take it out.

The downside is if someone cracks the safe your password is gone!

For better protection ‘hash’ the password. A hash is derived by performing a series of complex mathematical calculations on a password.

Here’s the important part. A password can create a hash. A hash cannot create a password. It’s a one way street!

As the hash is calculated websites should throw out your password and save the hash! When you next enter your password the website just checks if today’s hash matches the one you have on file. Simple.

You have your password. The website doesn’t. Nothing to steal here.

Because passwords are so valuable hackers have worked hard and can now figure out some passwords from hashes. The simpler your password the more likely it is to be cracked this way. If you’re Paris Hilton and your password is “tinkerbell,” you’re screwed!

For extra security all a website need do (and what LinkedIn didn’t do) is ‘salt’ the hashes. Salting just means another math step performed individually for each password’s hash. It adds enough additional randomness to make what the LinkedIn thieves got worthless.

At the moment 6.5 million LinkedIn users, especially those who reuse their passwords on other sites, are scrambling. I expect better security from a site lack that.

Thanks to Javvad Malik who answered lots of questions.

2 thoughts on “The Password Is Password”

  1. LinkedIn apparently put up a utility to see if your password was hacked. I didn’t take a chance…I changed it away. There need to be some rules in place for password, but if you make them too hard, your help desk gets flooded…been there…

    1. I suspect they’re calculating your hash then comparing it with the list of password hashes the hackers released.

Leave a Reply

Your email address will not be published. Required fields are marked *