Introduction

Scams and phishers are everywhere these days. They target the tired and the desperate as easy prey, and the current economic situation has left many people searching for any safe port in the storm. But sadly, if it sounds too good to be true, it most certainly is.

Knowing how to protect yourself is key. Identity theft is common place. The internet makes it easy to acquire information about people. Skim somebodies social media and you’ll come across birthdays, anniversaries, pets, the names of relatives, the relations between individuals, and more. It paints a mostly filled in picture for anyone who wants to grab it and have a go at social engineering that last bit of info they need out of you.

Staying safe on the modern web is a minefield. You must assume everything may be a scam and conduct yourself accordingly. To help shine a light into the darker corners of operational security on the modern web, I’ll be writing a series of blog posts on the matter. As more of our life is tied to online only services, it’s vitally important that each and every one of us understands how to stay safe.

Part One - Passwords

Entropy

We’ll start with Passwords. Passwords are cheap to crack. That’s assuming the attacker even needs to crack it and not say, give an educated guess based on your pets name and the year you graduated.

The complexity of a password can be measured as bits of entropy. The formula for this is E = log₂(R^L). E is password entropy. R is the pool of unique characters that could be in your password. L is the character length of your password. That may be a bit confusing, so think of it like this.

Assume your password is MyD0gg19. First, this is a terrible password. Many people habitually use passwords consisting of dictionary word + dictionary word + memorable number. Swap a couple of letters for numbers, and you've got a typical password.But, back to MyD0gg19. You have a password with an R of 62; 26 alpha lowercase, 26 alpha uppercase, and 10 numeric. The L is 8, because MyD0gg19 is 8 characters long.

Log₂(62^8) = 47.63 bits of Entropy.

Current wisdom places desired entropy at 60 bits or higher. This is why services place restrictions on minimum password length and require you to include numbers and symbols. Each new character set included in a password will raise the number of possible combinations.

The Algorithm

We cannot discuss password security without addressing the elephant in the room. The password hashing algorithm. Password hashing is a technique that chops the password up, runs it through a one-way transformative formula, and spits out a hashed ‘negative’ of your password. Each unique password will create the same unique hashed fingerprint every time when it’s run through a particular hashing algorithm. These algorithms are designed to be one way and irreversible, but they are not foolproof.

So, when you log in to a service by password, that password is sent (hopefully over an encrypted connection; https) to the server, transformed with the hashing algorithm, and compared to the original hash of your password that has been stored in the services database. Your actual password should never be stored plain-text anywhere. If you must write your passwords down for memory reasons, please write it in an actual paper notebook and keep that notebook in a secure place. Alternately, a password manager app may be an option. However, it’s important that you trust the company you’ve given the privilege of protecting your online life.

When services have their data centers breached, these password hashes are what is stolen, along with any personal information that can be linked to them. Attackers then determine the algorithm used to construct the hash, set it up in their own little scripting environment, and begin running brute force comparisons of all possible password combinations until a hash is created that matches your passwords hash. At that point, it’s just a matter of logging in with your newly brute forced credentials.

How long does it take? That depends on a few things. We discussed password entropy, which is the user’s part of the equation. Higher entropy means a larger number of potential character combinations that your password could be. The other side of it is the hashing algorithm itself. This is server side, and entirely the responsibility of the service provider.

Hashing algorithms have different time costs, or how long it takes the computer to transform the plain-text password into its hashed counterpart. The higher this time cost, the longer it will take attackers to cycle through possible passwords. Not all hashing algorithms are created equal. Computer hardware is more powerful than ever, and quantum computing looms on the horizon. A good password hashing algorithm MUST have a high time cost.

Speedy algorithms like SHA-256 or SHA-512 are terrible to use for password hashing specifically because of their efficiency and can result in brute force attacks that take mere minutes or hours. On the other hand, algorithms with a work factor that can be adjusted will push the time cost to hundreds or thousands of years. Examples of algorithms with an adjustable work factor would be Argon2, bcrypt, and scrypt.

Unfortunately, the take-away from this is that you cannot rely on the service provider to have used an adequate algorithm to hash your password. Especially if the services are old and have not migrated from outdated algorithms. So, even if you come up with a password that has 78 bits of entropy and isn’t commonly used or compromised; if the hashing algorithm isn’t up to the challenge, your password might as well be plain-text.

A Compromised Position

Attackers keep lists of commonly used and previously breached passwords. These are checked first, as they’re a much smaller subset to test and people are surprisingly predictable. HaveIBeenPwned and ProxyNova make information about account breaches as well as lists of the top most frequently used passwords available to the public. This is to provide potential victims a method of looking themselves up, as well as offering a cautionary example to those who are yet vulnerable.

• https://haveibeenpwned.com/Passwords
• https://www.proxynova.com/tools/comb

This last note should go without saying, but I’ve witnessed it too many times. Do not re-use the same passwords. Every password for every account should be unique. If you re-use passwords, a single breached database can result in your social media being the reason your financial account was compromised.

The main thing you should take from all of this is that a password is helpful, but equivalent to a bicycle lock. Whatever you set the combination to, you’re still trusting that someone wont come along with a pair of sufficiently sturdy bolt cutters and rip you off. In our next post we’ll discuss Multi-Factor-Authentication, or how to turn that bicycle lock into a bank vault.

Author: Amara

Date: 2/10/2025