Everybody has passwords. Nobody likes them. You have long ones, short ones, and ones that are almost impossible to remember. You forget them, reset them, and when you do finally burn them into your brain, you have to change them and the whole damn process starts over again.

We’re told that a good password has to be at least 8 characters, have uppercase, lowercase, symbols, digits, astronomical signs, hieroglyphics, and not contain any personal information such as your birthday or dog’s name. You also shouldn’t use the same password for more than one thing.

What if I said that even the complex password “y$o&N!1<” isn’t actually secure? It looks like it is, but that password is only as good as how it’s stored by the website that it is used for. If the website stores your password in plain text, even the password “gWQvy4GSJdtjncpDk@M9” is not secure.

When a string of characters is run through a mathematical algorithm, it will always produce the same output, called a hash. For example, the password “y$o&N!1<” will always produce the hash “dabf809386a942058d6b54f31c82e9f4”. By storing the hash instead of the password, websites can authenticate their users without ever knowing what the actual password is. Comparing the stored hash with the generated hash of the entered password does this.

Pre-computed databases of password hashes exist called Rainbow Tables. Using these databases, it’s possible to obtain a 10 character complex password from its hash in a few hours. However, it takes years to generate these tables, which is why the length of the password matters more than the complexity of the password, provided that the password is not a dictionary word.

The best way to achieve this is to use a concept developed by Steve Gibson at Gibson Research Corporation, called Password Haystacks. Cracking a password is like looking for a needle in a haystack. So what you need to do is increase the size of your haystack. You can take a relatively easy to remember and non-complex password, such as “Sk8b04rd1ng!!”, and pad it with an easy to remember pattern of symbols to increase its length. We can turn this password into the complex but easy to remember password {^][^^}Sk8b04rd1ng!!{^^][^}. This password has 33 characters and is very unlikely to appear in any pre-computed Rainbow Table.

Password Haystacks offer a convenient way to drastically increase your security, while still being pretty easy to remember.


This article first appeared in Memorial University’s student newspaper: The Muse http://themuse.ca/2012/09/12/everybody-hates-passwords/

If you enjoyed reading this article, please consider buying me a coffee. Buy Me a Coffee at ko-fi.com