Why do we need to use passwords?
According to the Wikipedia: “A password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource which is to be kept secret from those not allowed access.”. Since we need to keep some things to ourselves, it is a good practice to secure them properly. In this blog I will try to explain to you why it is important to use unique, strong passwords and how to easily manage them.
Oh and I will try to explain from the site’s security perspective, but the rules are similar when it comes to securing all your accounts.
From a site’s developer perspective:
Obviously, we don’t want to give access to our website to everyone. So, both Joomla! and WordPress are securing the user passwords by MD5hash’ing them in the database.
Meet Joe. Joe will ask some questions and I will try my best to answer them.
- What does that mean?
- Well, the MD5 algorithm is a widely used hash function producing a 128-bit hash value. So basically your “password” would look like this: “286755fad04869ca523320acce0dc6a4” in the site’s database.
- Ok, so I’m good, right?
- Not really, but I explain that later.
- You’re giving me creeps...
- There’s more to that. Hackers can obtain your MD5 hashed passwords in many ways. For example:
1. You can become a victim of a brute-force attack - hackers are using everything they have to crack the password by exploiting vulnerabilities on your site, whether that is an extension, plugin, theme or your CMS itself (Our mantra: Please keep your site up-to-date).
2. You can become a victim of a data breach - haven’t you heard about hackers stealing personal information from big companies? Just take a look: https://haveibeenpwned.com - and you may see where all those spam messages or strange activity on your account come from.
3. You can become a victim of stealing information - hackers can “access” portions of your site to obtain information they're not supposed to see
- Ok, but what about these MD5 hash. It does not look like my password at all.
- For the sake of this blog, I have established a virtual environment on my PC and installed a cracking tool there. I have also generated the MD5 hash of the most popular password “123456”. Guess how much time took me to crack the password on a small virtual machine with really limited resources? Exactly 5 seconds...
Anyways, the proof is below and I hope that convinces you:
Just take a stab at your password here: https://www.kaspersky.com/blog/password-check/ and see how much time it will take a “regular” user to crack it.
From a regular user perspective:
- Ok, you convinced me, but what exactly is a secure password?
- I will go the other way. I will tell you what you should never do:
1. Never use passwords from a dictionary - they are in the online wordlists and so this passwords can be easily cracked
2. Never use obvious combinations, like 12345, asdfg etc. - these are the most common passwords
3. Never use a similar login and password - isn’t that obvious now, eh?
4. Never use a word that can easily be related to you (let’s say your girlfriend’s name, pets name etc.)
- Yup, that makes sense..
- So, a secure password should:
1. Be unique
2. Contain 12-15 characters
3. Contain a mix of uppercase and lowercase letters, punctuation, numbers, and symbols.
- But there are so many rules and frankly, I am pretty sure I won’t remember the password to every site I have access to.
- It’s understandable. You can use a password manager tool, like 1Password or KeePassX to keep them safe in one place. There’s a lot of them on the market.