Why you really, REALLY shouldn’t reuse passwords
By Dmitry Pleshkov
It’s not hard to figure out why it’s a bad practice to use the same password for log-ins across multiple sites – after all, if someone were to get ahold of that one password, they would easily be able to log into not just one, but all the accounts you used the same password for. And yet, many people still practice this – a survey conducted by Google in early 2019 found that 52% of people re-use at least one password for multiple sites and that 13% of people use the same password for all of the sites they have accounts on. This article seeks to explain how user’s passwords are typically stored and stolen, and demonstrates how easy it is for a hacker to get access to all your other accounts if you reuse a password for them.
How are passwords stored?
In order to successfully log you into your account when you enter the right password, and deny the login when you enter the wrong one, a site obviously needs to store your password in some way. There are four big ways to do that, the last of which is the most secure:
- Plaintext: Storing a password in plaintext (its original form) certainly will get the job done. In the case of a cyber-attack, however, if a hacker gains access to the password database, they won’t need to do any extra work in order to unencrypt the true password.
- Two-Way Encryption: Encrypting the password is the next logical step. With the password encrypted, even if the hacker gains access to the password database they would still need to decrypt the password – and if done right, such a task would be impossible without the decryption key. If the hacker gains access to the decryption key, however, it’s game over.
- Hashing: You can think of hashing as a one-way encryption process. You can get the hash from the password, but you can’t get the password from the hash. This is perfectly fine in this situation – sites only need to compare your entered password to the real one in order to log you in, and nothing else. Hashing is usually done by doing non-reversible operations – for example, taking the division remainder of a number. You can’t tell the original number from the remainder, but you can tell the remainder from the number. It is important for a hash function to be complex and intricate so that it is difficult for a potential hacker to reverse-engineer it. Unfortunately though, simply hashing passwords this way makes the whole dataset vulnerable to something called a “rainbow table attack”, which will be explained later on. A way to add even more security to hashing passwords is to use a technique called salted hashing.
Hashing is a one-way encryption process that is useful if something needs to be securely stored for the sole purpose of comparison (i.e. password validation).
- Salted Hashing: Salted hashing is like regular hashing except that another unique set of characters, called the “salt” is added to the password every time it gets hashed. The salt is unique to every account created. What this does is it forces the hacker to brute-force each password individually – and prevents rainbow table attacks. Unfortunately, this set up still isn’t perfect – given enough time, hackers can still, in some cases, decipher the set of passwords – it’s just that this set up would make this task even longer, as the hackers would need to brute-force each password individually.
While seemingly simple, using salted hashing makes password cracking much, MUCH harder.
How and why are passwords stolen?
There is a common misconception that you’re not in danger of being hacked unless you’re particularly famous, wealthy, or in a position of authority. This is not true. Have a Netflix account? Boom, you’re already a valuable target to a hacker – there exists a market where such accounts are illegally sold at cheaper-than-normal prices.
Passwords are typically stolen by gaining access to the computer system(s) where the passwords or their hashed/encrypted forms are stored. There are hundreds, if not thousands of ways this can be done, ranging from outright physically sneaking into a database to bribing one of the system admins for the credentials to the hacking you see in movies, where a security vulnerability is exploited to execute some malicious code. Once the passwords are obtained, however, the processes to decipher them are usually pretty straightforward.
If the passwords were stored in plaintext, no work needs to be done. If the passwords were encrypted to be retrievable (two-way encryption), then the decryption key needs to be found in order to decipher the passwords to their original form.
If the passwords were hashed, but not salted, then the hackers can utilize a technique called a “rainbow table attack”. What they would do is attempt to reverse-engineer a hash function by comparing the statistically most popular passwords (ex: “12345”, “password123”) to the most popular hashes in the dataset, which would then provide a somewhat reliable set of input/output combinations that could be used to make a pretty good guess on what the hash function does. Then, hackers can pre-compute a bunch of hashes for a bunch of popular passwords, and look over the entire dataset to see if there is a match. Usually, there are several.
If the passwords were salted, with a good hash function and a random salt, then it is very, very hard to crack a large amount of them. Rainbow table attacks wouldn’t work as effectively – as while several users may have used the same password, the salts the website generated for each differs. So, instead of just pre-computing one hash for each password combination, the attack has to compute all the likely password hashes for each user – as the salt, if done right, is always unique. This doesn’t make cracking impossible, but it sure makes the process take much, much longer.
So, why shouldn’t I reuse passwords?
Suppose you reuse the same password for your Google account and some account you just happened to make on some obscure, lesser-known website X. Now, it is highly unlikely that your password will get breached in a data leak from Google, as the company spends millions of dollars on cybersecurity. Instead, it is more likely that it will be exposed in a data leak from the more obscure, website X, as the developer of that site is less likely to spend a lot of effort on cybersecurity – but the password for your account on that site can also be used to log into your Google account now. So, by reusing a password, you’re basically increasing the likelihood it will get compromised – as there are more places where that password is stored. Remember: sites aren’t obligated to securely salt and hash your password with a strong hash function – a site could store your password in plaintext and you wouldn’t know until there’s a data breach.
A very useful site to check if your password has been compromised in a data breach is haveibeenpwned.com.
HaveIBeenPwned tells you what sites your credentials got breached on, so you know what sites to change your password on. You can also subscribe to get email notifications if a breach with your info in it is detected.
What should I do instead?
Make good passwords. By good, I mean “0K46Nxa6Yntv” type good. But that’s hard to memorize! You don’t have to memorize it. Use a password manager. Plenty of password managing options exist out there, ranging from sophisticated apps such as LastPass or 1Password to writing down your password on a piece of paper and locking it in your desk drawer. In fact, most browsers today have a password manager already built-in – they memorize passwords for you and fill them in automatically, as well as now offer to generate a random password for you every time you make a new account. Password managers tend to encrypt the passwords for you and ask you to set a “master” password that is used to decrypt the password if you want to look it up. For this, you probably want to set it to something memorizable, but long, so that it is still secure.
Here’s Chrome offering to generate a random password for you. It’s usually a good idea to accept – Chrome is pretty reliable at memorizing your passwords and syncing them between your devices.
So, in summary:
- It’s a bad idea to reuse passwords across websites.
- Hashing is a one-way encryption technique that is useful if you only need to compare two pieces of text, making it perfect for password validation.
- Rainbow table attacks can be used to crack many hashed passwords.
- Adding a unique salt to each user password makes cracking passwords, much much harder.
- HaveIBeenPwned is a useful site to check if your password has been compromised.
- Using a password manager makes it easy to memorize and generate random and secure passwords.