Every now and than, a website on the Internet gets hacked and sensitive data of its users are stolen. Sensitive data can be anything, from your email address, to your birthday, social security number, credit card details or your password (either in hashed, encrypted or plain text form). While all this data is critical to you, the password certainly makes a lot more fun for an attacker.
Imagine you have an email address JonPeter83@vulnerability.ch. On this account you have a fairly strong password, at least 8 characters, with upper and lower case, a number and some symbol, like J0n;Pass. Cool, you are better than many other users on the internet nowadays. Now imagine you are a big fan of Minecraft and are member of a Minecraft fan forum. On there, you also have to have a strong password (min. 8 chars, mix of upper and lower case, numbers, symbols etc.) But now you make the big mistake of re-using your password. And since you have to verify that you are real and not some bot, you have to link your email address to the forum’s account. Nobody sees this you think. But you are wrong. Your email address is stored in the websites database server and any administrator can access it. Or worse, any successful attacker with access to a SQL injection vulnerability can read out the forum’s database content. And with that your email address and your (hopefully) hashed password. Now, most sites still use MD5 or SHA-1 hashing algorithm. Your password now becomes something like that below:
| Hash | Output |
|---|---|
| MD5 | 6e117518d56e0920951b947905cc8c4a |
| SHA-1 | 7266ac431d499cd13ac82662ecd637dc22d161d6 |
| SHA-256 | c3f1cee4ede03ab989af0977771dbd9e1704bea87b555cdf856c5be834adf43a |
Looks much longer and maybe even more secure than your password, right? Well, no. With todays computers and high performance graphic cards, your password can be cracked within seconds. It is possible to generate hundreds of millions of combinations every second and giving the correct alphabet (a-Z, 0-9, special symbols), you do not stand a chance against attackers.
Conclusion
This is why it is so important to have a unique, complex password and to create a new password for every account you have (email, forum, Facebook, Twitter, Tumblr etc.) And do not even think about to create a pattern for your passwords like “9a^u@YEC-EMAIL“, “9a^u@YEC-FACEBOOK“, “9a^u@YEC-FORUMX“. Attackers are not stupid ;-).
A recommended way to do this would be the use of a password manager, which creates complex passwords on the fly and stores them securely on your computer.
If you are a developer or site operator, please make sure you are storing the user’s passwords strongly enough, recommended would be a hashing algorithm like PBKDF2 or bcrypt. Those have the advantage that they take time to calculate (several hundres milliseconds), which makes it nearly impossible to check millions of combinations per second. And of course, make sure your applications does not have any vulnerabilities ;-).
RT @cocaman: New Blog Post: Why Password Re-Use Is Bad For You: http://t.co/p6Lupi10EH