The secret life of passwords

Your password is something very private. Your closest kept secret. It is the key to your digital life. Your emails, private messages, and your browsing history - all secured and protected. Your password is the first line of defence to protect your digital life. You only share it with someone you’d trust with your life because, let’s be real, most of your life is online. So if passwords are so important, why are everyone’s passwords so bad?

Password Mechanics

First, we need to understand the mechanics of how passwords work to protect your account. This is a slightly technical topic so if your eyes start glazing over at any point feel free to skip to the “Password Hacking Summary” where I tell you how to create a strong password. Promise I won’t be offended.

The most basic form of a password is one to access an account. This password it used in addition to the user’s ID (usually their email) to give access to the account. Under the hood, the application will check a database to see if the password entered matches the password stored in the database. So our user database might look something like this:

Username | Password

bob@corp.co | Secret

So if the user enters the username ‘bob@corp.co’ and the password ‘Secret’ then they will be given access to the account.

As you can see the password in this case is stored in the database exactly as it is entered - this version of the password is called the ‘plaintext’ password. In this day and age, storing passwords in plaintext is bad practice and practically never done. If your app does this, find a new developer. More commonly we want to store the passwords in a database in a scrambled format. In technical terms, the scrambled format is known as a ‘hash’. To put it simply, hashes are the result of a mathematical algorithm when the input to the algorithm is the plaintext password.

Plaintext password > Maths Magic > Hash

The beauty of these hashing algorithms is that they are uni-directional, in other words, you can reliably calculate the hash from the password but you can never calculate the password from the hash.

So now before we save the password in the database we calculate the hash:

“Secret” > Maths Magic > AB45F12920

And our database looks like this:

Username | Password

bob@corp.co | AB45F12920

So when the user enters their password, we calculate the hash first and then check the database for a match.

Now a quick side note about hashing algoritms. They aren’t all created equal. Some algorithms are easy to calculate, in other words a computer can calculate them very fast, and some are harder to calculate and it takes a computer a long time to calculate them. The harder it is to calculate the “more secure” it is.

Like with all the topics I write about, you can go much deeper and I’m sure someone will come at me in the comments but for now, this is all you need to know about passwords and hashing.

Password Hacking 101

Ok, now the fun part. Let’s hack!

We understand how passwords work fundamentally and we want to hack accounts let’s go through our options. We will talk about 4 different techniques to get into someones password:

1. Brute Force

2. Password Spray

3. Cracking

4. Phishing

Brute Force

This is probably the type of attack most people think about when they think about a hacker trying to get access to their account. Basically its trying to log in to your account with lots of different passwords - very fast!

There are different approaches to a Brute Force Attack, the first and least efficient is simply going through every single character combination. For example if the password is 8 characters we start at ‘aaaaaaaa’ and finish on ‘ZZZZZZZZ’. As you can imagine this process would be slow and inefficient. It’s still a useful technique but only in certain circumstances.

The second brute force approach is to get a list of passwords that we know people have set in the past and then try that list.

So for example get the Top 10,000 most used passwords and try them in order. This list would include passwords like ‘Password123!’ and ‘Football!’, ‘qwert1234’ and the list goes on. To be clear, this isn’t a hypothetical, these lists exist and can easily be downloaded.

This second approach is more effective because it tries passwords that are more likely to be set by a human.

But Brute Force attacks like this rarely work and that’s because most platforms will have some sort of lock out or rate limit to prevent people from trying more than a few passwords at a time.

Password Spray

This technique has the same DNA as a Brute Force attack but smarter. Before we would have been blocked by rate limiting or timeouts, so trying to log in to the same account multiple times is a no go. So what if we flipped it and reversed it. Instead of trying a thousand passwords on one account, lets try one password on a thousand accounts. No more rate limiting, no more lockouts.

This type of attack is happening 24/7 on the internet. Scanners and bots and constantly trying to log in to anything and everything on the internet. And it works!

Cracking

Let’s assume a hacker has been able to get the hash of a password, this is a good step but without the plaintext password they won’t be able to log in properly. The process of getting a plaintext password from a hash is called Cracking.

If you remember what I explained about hashing algorithms, they are uni-directional. You shouldn’t be able to calculate the password from the hash. So how do we do it? Well this process is similar to a brute force attack but it runs on the attackers computer and therefore there is no rate limiting or blocks.

Here’s how it works:

1. Get a huge list of common passwords

2. Go through the list one-by-one and for each password calculate the hash

3. Check the hash against the hash you have

4. If they match then you know that’s the password

5. If they don’t match go to the next password

Remember how I said some hashing algorithms are “more secure” its exactly to protect against this type of attack. If the algorithm is difficult and take a computer a long time to calculate then this type of attack could take years to finish. But if the algorithm is easy to calculate and fast, this could take seconds.

Phishing

The last and most dangerous way to get a user’s password is using phishing. You’ve probably heard me talk about this before or done your company’s mandatory training but here is the basic mechanics:

1. Hacker gets a list of account email addresses, lets assume its corporate Microsoft365 user accounts.

2. Hacker setups a fake Microsoft 365 login page that looks exactly like the real on except this one is designed to save the username and password that are typed in.

3. Send the users an email pretending to come from Microsoft365 asking them to click a link taking them to the fake login page.

4. The user clicks the link and logs in with their email address and password.

5. Hacker captures the username and password and can now use it to login.

There are more advanced phishing techniques than this, but for the purposes of this article this one is the one we need.

Password Hacking Summary

To summarise, here are the ways an attacker can get your password:

• Brute Force Attack - Try lots of different passwords until one works

• Password Spray - Try one password on lots of different accounts until one works

• Cracking - Use brute force attack offline against a stolen password hash

• Phishing - Trick a user to typing in their password on a fake login page

Creating Strong Passwords

Now for each attack, lets go through what type of password would withstand the attack:

• Brute Force: If your password is long, and complex it can better withstand a brute force attack.

• Password Spay: If your password is unique password and not in any password list it can withstand a password spray attack.

• Cracking: If your password is long, complex, and unique it can withstand being cracked from the hash.

• Phishing: This attack works against any password because you literally type it in... sorry.

Ok, so you need to understand that no matter what your password is, it is still vulnerable to a phishing attack. But that doesn’t mean you can just use crappy passwords. The best passwords are long and unique and ideally generated by, and stored in, a password manager.

Here are some examples what bad password look like:

• Spring2025!

• Letmein123!

• $uperman123@

• Ilovemom1990!

• AC/DC1980

• Qwerty2025@

• 123Asdf!@#

Here are some examples of good passwords;

• 73K4%^Q*D@8qmGm!CrPUN9Y6

• tWXCFzHASi^fgt33#$KSXfd^

• @YkV%!tnL*6X!Kp6oNxPfk^k

• trickily-depletion-occupant-evidence

• frenzy-settling-saucy-staleness

Obviously remembering super complicated passwords like that is going to be almost impossible, especially if you do the right thing and have a different password for each account. Until the time comes that everything is passwordless, you will need to remember some passwords so here is my recommendation on how to create strong passwords:

Only remember 3 passwords:

1. Your email address password

2. Your computer login password

3. Your password manager password

Create memorable passwords by creating pass phrases like this:

1. Select 4 random words

2. Choose a special character as a seperator (,./-_+=’”~*)

3. Add a number somewhere

For example:

4 words: Raisin Plastic Grind Green

Special character: /

Number: 666

Resulting password: Raisin/Plastic/666/Grind/Green

So go ahead and update your passwords by creating strong passwords and you’re protected against a few of the most common attacks.