why you should use strong passwords.
Now, more than ever before, we should all be using strong passwords. By strong, I mean long, complex and unique passwords.
Unfortunately, using long and complex passwords to protect our online accounts is both awkward and cumbersome and most of us will try to avoid doing so.
Which is why I'm writing this article. To try to convince you to accept the inevitable before it's too late.
To understand why we need to be using strong passwords and how they can help protect our online identity, we need to look at how passwords are stored on a website.
It's a little more complicated than you might think.
When you first arrive at a website where you're going to create an account, generally, you'll be asked for your email address and then a password.
Depending on the actual account you're creating, you may also be asked to fill in other personal details.
There's nothing surprising here, we've all done this at some point, whether it's for a Facebook account, eBay, Amazon, or whatever, it's all pretty much standard.
What happens next though, that's where the magic comes in.
When you've filled in your Username (usually your email address) that gets stored on the website's servers (computers).
But the password you entered, that gets HASHED.
Then the hash of your password is stored alongside your Username.
The website you're logging into only stores your Username and the Hashed version of your password. They don't store (or save) your actual password.
In this simple example, Joe has used the password "abc123", but after it's been hashed, it becomes E99A18C428CB38D5F260853678922E03
A quick word about the word "hash". The dictionary definition, amongst other meanings, is "To confuse or to muddle".
And in general use, when you've made "A hash" of something, it means you've made an irretrievable mess.
I think you'd have to agree that changing "abc123" into "E99A18C428CB38D5F260853678922E03" is making a mess of it.
And that's why it's called hashing. You're jumbling it up, making a mess of it.
So to be clear, the website you're trying to log into only has your username and the hashed version of your password. They don't have the actual password that you typed in.
No one stores (or keeps) the actual password (or at least they shouldn't). They only have the hash of your password.
Which is why, when you forget your password, they can't simply tell you what it is. All they can see on their system is the hash of your password.
They would have no idea what numbers and letters you used to create that particular hash.
Instead, they have to send you a link (or some other means) for you to create a new password.
Oh, and if you're wondering why your password gets hashed, it's because storing a password in plain text would just make things way too easy for hackers. As you'll see later.
In our original example, Joe used the password "abc123", which produced a hash of E99A18C428CB38D5F260853678922E03.
It's this hashed version of his password that will be stored against his username.
Every time Joe returns to the website and logs in, his username goes through in plain text, but when he inputs his password (abc123), it will be hashed and the two hashes are compared. If they match, then Joe is allowed into his account.
Changing just one letter or number of a password will produce a hashed version that is very different.
If we change the small letter "a" to be a capital letter "A", the hash changes dramatically.
Which explains why we will get locked out of our own accounts for even the smallest typing error.
Remember that the computer your trying to log in to is comparing the hashes. And they're completely different.
You can try it for yourself, there are many websites out there that will hash anything you type in.
One such site is Password Generator
Enter a potential password into the box, click the GENERATE button, and below you'll see the hashed version of your password.
hacking & data breaches.
OK, so now we know how a website stores your login info (username and password). Now we need to consider website hacking and data breaches.
We've all heard these phrases on the news channels, but what is a data breach? What are they actually talking about?
Put simply, a data breach is when a hacker, or group of hackers, break into a company's website and steal some information from it.
Usually, that information, is usernames & passwords, your username & password.
And the creepy thing is, that's what they came for, it's not a consolation prize. Your login details are exactly what they came after.
The information they get away with is your username and the hashed version of your password.
But what good is the hashed version of a password to them? They can't type the hash into the password box, it won't work.
On the face of it, that's right, the hashed version of a password is useless.
But consider this, we already know that E99A18C428CB38D5F260853678922E03 is the hashed version of "abc123".
So every time that we see E99A18C428CB38D5F260853678922E03, we'd know that the password is "abc123", right. That's assuming we can remember such a long string of numbers and letters.
Which is difficult for us humans, but for computers, not difficult. It's what they're good at.
decrypting your hashed password.
Out there, on the Internet, there are lists of millions (possibly billions) of hashes and the passwords that were typed in to create them.
The lists can be downloaded by anyone who wants to search Google for them.
So now what the hacker does, is to tell their computer which hash to look for.
The computer then scans the lists until it finds an exact match. When it does, it reads across to find which password created the hash, and then outputs the real password onto the screen.
In our example, Joe used the password "abc123". Which produced a hash of E99A18C428CB38D5F260853678922E03.
Now that hash seems impossible to crack. How can you get the password from that?
But the hackers don't need to do that. They don't need to crack it. They simply look it up.
It's rather like looking up a phone number in the telephone directory and seeing who it's registered to. Or looking up an address to see who lives there.
If you know what you're doing, it's child's play.
use a strong unique password.
All of which means that, whichever website got hacked, suffered that data breach, the hackers now have Joe's username and his password.
And it could be you.
There are many websites that you can use to check if your passwords have already appeared on one of these lists.
One of the best is, Have I been Pwnd / Passwords
Enter a password into the box, click the PWNED? button, and err, panic.
In this example, I entered abc123. Whoops.
You'll find similar results if you try - password, Password12, Pa55w0rd?, or just about any derivation of password that you can think of.
So if that's you, if you're using something like that, stop it. Stop it now.
So let's try that again, this time with an example of a strong password -
And when I type it into Have I Been PWND, it's good news.
The hash for that super-strong password is
So if Joe had used that strong password, the hackers that made off with his login details would be looking at something like this on their computer.
Which in turn means that they can't access his account.
The strong password has done its job, it kept them out.
And a strong, unique password can do the same for you. It will protect help protect you, your identity, your account and your data from those that would steal it.
if you haven't been hacked yet.
If you haven't had an online account hacked yet, don't worry. Don't feel missed out. They will get to you. It's only a matter of time. They've got a lot of people to get through. But you're definitely moving up the list.
The statistics for website hacking and account thefts are staggering, to say the least.
Some estimates reckon that at least 30,000 websites are hacked every day. Yes, that's every day. And since many website owners are understandably a little shy about admitting to being hacked, that's probably an underestimate.
The vast majority of these sites will be small sites, small businesses, but virtually every major website and company has been hacked at some point. And will be again in the future.
Try searching Google for "How many websites hacked" or maybe "How many companies hacked this year". The numbers are staggering.
So when I say that they're coming for you, I mean just that, sooner or later, your details will be taken.
And your only shield will be a strong password. Don't be like Joe.