A password is a secret word, phrase, or combination of characters used to gain access to a computer system, network, file, program, or website. Passwords are a critical aspect of computer and internet security, acting as a line of defense against unauthorized access.
How Passwords Work
Passwords work by requiring a user to provide a secret code to authenticate their identity and gain access to a protected system or resource. The system stores an encrypted version of the correct password for that user account. When the user inputs a password, the system encrypts the entered password and compares it to the stored encrypted version. If they match, the user is granted access.
This system relies on two main principles:
Something you know: The password itself. The user must know the correct password in order to gain access.
Encryption: Storing passwords in an encrypted format protects them from being read or used by anyone other than the authorized system itself. Popular encryption methods include bcrypt, scrypt, and PBKDF2.
Encryption Methods
Various encryption algorithms are used to protect stored passwords from plaintext attacks:
Bcrypt: An adaptive hash function based on the Blowfish cipher. Introduces random salts and variable work factors to combat brute force attacks. Works for passwords up to 72 characters.
Scrypt: Designed to be CPU and memory intensive via sequential memory-hard functions. Offers configurable block sizes and CPU/RAM cost tuning.
PBKDF2: Applies pseudorandom functions like hash-based message authentication codes (HMAC). Configurable iteration counts raise computing resources needed to test passwords.
Argon2: Winner of 2015 Password Hashing Competition. Uses data-depending memory-hard functions to thwart ASIC/GPU cracking attempts. Provides fine tuning of three parameters – time, memory and parallelism.
Proper configuration tuning requires balancing security and performance to frustration-proof login processes. As computing power grows, work factors and iteration counts should be increased.
Creating Strong Passwords
A strong password is long, random and unique:
- Length: Use at least 12 characters if permitted. Longer is better.
- Randomness: Include uppercase, lowercase, numbers and symbols in random order.
- Uniqueness: Do not reuse passwords across accounts. Separate passwords protect other accounts if one is compromised.
Weak passwords made up of dictionary words, names, dates, keyboard patterns or other easily guessable combinations should always be avoided as they are vulnerable to brute force attacks.
Random Password Generator Tools
Manually creating and remembering entirely random passwords for every account quickly becomes unscalable for most internet users. Password manager tools and operating systems often include built-in random password generators to create strong, unique passwords automatically.
Native generators in password managers like LastPass, Dashlane and Bitwarden integrate directly with password storage to enable seamless, secure password handling. Browsers, Microsoft Windows and Apple OSes also include password generation tools accessible under account settings or login screens.
Third party open source generators like Password Generator Plus and KeePassXC offer additional customization around character sets and configurations for system-level integration. Some password managers allow using third party generators when more control over formats is desired.
Industry Password Usage Stats
Despite widespread consensus among cybersecurity researchers on password best practices, many users and IT departments still take shortcuts that dramatically weaken account security:
52% of people reuse passwords across multiple sites according to a 2021 LastPass survey of over 54,000 respondents across 5 countries.
The average person has 100 passwords yet only remembers about a quarter of them based on various industry estimates.
Only 10-30% of internet users are estimated to use a password manager tool for convenience and security.
91% of hacking breaches involved leveraging stolen or guessable passwords according to Verizon‘s 2020 Data Breach Investigations Report.
Lax password hygiene remains rampant despite clear risks to personal reputations, company data, customer privacy and national security.
Password Reuse Remains Prevalent
A 2021 LastPass survey found 52% admitted reusing passwords across sites, actually slightly worse than 2020. With over 100 average passwords to manage and recall, users gravitate toward simplicity and familiarity over security when creating new credentials if not relying on generators.
Weaknesses with password reuse include:
- Compromise of one account often grants access to email, financial, social media, shopping and other accounts.
- "Password spraying" attacks quickly attempt one stolen password across many sites.
- Lost phones or laptops provide a treasure trove of password hints stored in browsers.
For organizations, widespread password reuse enables single intruders to pivot across networks and critical infrastructure once inside, escalating localized breaches into systemwide compromises affecting millions.
Most Breaches Leverage Weak Passwords
The vast majority of hacking attacks leverage stolen passwords or password guessing rather than exploiting software vulnerabilities. According to Verizon‘s influential annual data breach report:
- 83-91% of breaches over the past 8 years involved leveraging weak or stolen passwords.
- Only 3-8% of breaches exploited software, hardware or protocol weaknesses.
- Almost half of breaches featured phishing to harvest passwords.
Yet outdated habits like forced password changes, complexity rules and password reuse remain common, especially in highly regulated industries like banking and healthcare where milquetoast compliance supersedes true security.
IoT and Embedded Systems Challenges
Integrating passwords into constrained environments powering emerging categories like Internet of Things devices and embedded systems proves challenging. With limited UI, storage, power and computing resources, security often suffers:
- Default or hardcoded passwords abound that users never change.
- No password managers integrate to automate unique credentials.
- Lack of peripheral hardware restricts multifactor authentication.
- Weak CPU/memory resources limit encryption protections.
Firmware access protocols like MQTT and CoAP offer granular topic-based permissions but take special care to implement securely. Security should be part of foundational product design given updating dispersed embedded devices poses substantial headaches.
How Password Hashing Works
Cryptographic password hashing converts plain text passwords into fixed-length digests that cannot be feasibly reversed – unlike encryption algorithms. Hashing allows matching entered credentials without ever storing passwords in recoverable formats.
Key attributes of hashing algorithms like bcrypt and scrypt include:
- One-way computation: Cannot be reasonably reversed to find original input.
- Same input yields same hash: Unique fingerprints for each input string.
- Variable output: Wide range of possible hashes for each unique password.
- Tiny changes cascade: Even minor changes in input string produce wildly different hashes.
Additional considerations around hashing protocols and configurations include:
- Salts: Random bits appended to passwords before hashing to generate unique hashes even for duplicate passwords.
- Work factors: Key adjustment to raise computing resources for each hash calculation to slow brute force attempts.
- Adaptive algorithms: Functions like bcrypt and scrypt self-tune based on available computing power.
Following best practice configs for reputable hashing algorithms thwarts all but the most sophisticated brute force attacks. Programmers should stay abreast of emerging recommendations as computing capabilities perpetually advance.
Password Strength Concepts
Two key measures determine password strength – entropy and length. Both relate to the permutations possible within employed character sets.
Entropy
In information theory, entropy defines the randomness within stored data. Higher entropy data appears more chaotic and encrypted. For passwords, character sets impact measurable information entropy where entropy grows alongside set size and uniformity of character probability distribution.
Adding different character types where numbers, symbols and mixed case letters have equal likelihood across all positions raises measurable entropy and strength. Entropy can be mathematically modeled based on set size and equitability per Claude Shannon‘s seminal 1948 paper which founded information theory.
For a set of N possible symbols with each symbol having equal probability p=1/N, the formula to calculate entropy in bits is:
Entropy (bits) = Log2(N) bits per symbol * length in symbols
So a password using lowercase letters only (N=26) and length 10 has entropy:
Entropy = Log2(26) * 10 = 4.7 bits * 10 symbols = 47 bits
Compare that to a base64 set using 64 characters increases entropy to:
Entropy = Log2(64) * 10 = 6 bits * 10 symbols = 60 bits
Opting for 100 lowercase ASCII letters raises it slightly higher to Log2(100) = 6.64 bits per symbol.
Length
Password length in symbols directly factors into total entropy, making longer passwords exponentially stronger. Each added character increases the possible permutations a password cracker must test. For example 12 vs 20 lowercase letters:
26^12 = 2.83 * 10^21 possible passwords26^20 = 5.34 * 10^33 possible passwords
So 20 random lower case letters offers over 10 trillion times more combinations than just 12 letters. Even adding just 8 more characters proves the difference between easily crackable and virtually uncrackable for modern techniques and computing.
Industries with Poor Password Practices
Cybersecurity varies substantially by industry, with some far outclassing others. Sectors renowned for subpar password practices include:
Healthcare
Notoriously plagued by rampant password reuse, weak credentials and lack of multifactor protections. 71% of hospital tech specialists reported using one password across multiple applications according to Spiceworks. HIPAA compliance focuses more on privacy policies than access controls. Medical devices often have hardcoded passwords unchanged for years.
Education
K-12 and higher education lean on simple passwords across various learning apps and platforms while lacking resources for sophisticated controls. Weak passwords led to many of the 300 publicly disclosed school data breaches between 2016-2018.
State & Local Governments
Fragmented systems, dated technologies and budget constraints hamper civic cybersecurity. Many governments still use trivial access codes vulnerable to automated attacks. Common pain points include poor identity management infrastructure and lack of talent/resources to make security a priority.
Hospitality
Guest Wi-Fi access represents a major attack vector at hotels and resorts. High employee turnover and cost sensitivities often undermine making passwords and network security a central focus. Failures become brand damaging PR events.
Retail & Restaurants
Constantly connected point-of-sale (PoS) systems offer targets to harvest credit card data. Franchise tech standards may severely lag current best practices. Using PoS devices on store Wi-Fi further exposes access credentials via man-in-the-middle attacks.
Hardware Password Managers
For certain threat models, network-connected password managers pose unacceptable risks despite extremely robust protections in reputable offerings. Hardware password managers store credentials offline in encrypted physical devices unlocked by master passwords or FIDO keys. Leading options include:
YubiKey Bio – FIDO2 hardware key with fingerprint sensor for biometric authentication, NFC and USB connectivity. Supports various credentials.
OnlyKey – Portable USB device for digitally storing identities, encryption keys and long passwords. Features physical touch sensors to copy credentials which never touch host devices.
** Password Safe – Credit card sized gadgets providing password generation and military grade encryption with no digital networking components.
Physically immutable hardware password managers eliminate attack vectors targeting networked systems and cloud sync vulnerabilities that persist across even reputable software managers. However, they still carry risks of physical theft, hardware failure, and user error. For better usability at marginally higher exposure, modern cross-platform password manager apps offer robust protections for the vast majority of consumer and business contexts.
Passwordless Authentication
The growing availability of biometrics sensors on smartphones, laptops and USB security keys coupled with smarter behavior analysis is enabling true passwordless authentication powered by FIDO2/WebAuthn protocols. Capabilities include:
Facial recognition – Using device cameras for login confirmation without passwords.
Fingerprint – Registered fingerprint scans unlock accounts and confirm transactions.
Security keys – External FIDO hardware keys tap to access accounts.
Behavioral biometrics Using patterns in how users type and scroll to silently verify identity transparently.
FIDO2 passwordless capabilities increasingly protect Microsoft, Google, Facebook and various fintech accounts/apps leveraging built-in biometrics, eliminating cumbersome passwords. As more decentralized identity options emerge for owned user credentials rather than platform-dependent features, passwordless access stands to become ubiquitous.
Conclusion
As computing evolves, passwords face growing weaknesses from exponentially increasing attack speeds and data sharing risks across emerging IoT devices. While vigilant password hygiene and multifactor authentication offer substantial protections for now, ubiquitous biometric sensors and hardware-secured decentralized identity management herald the dawn of truly passwordless technology ecosystems.
Rather than a liability to endlessly defend, identity may transform into an owned asset ushering convenience and choice for users while undermining entire attack categories. As passwords fade to history, user-managed credential security shifts closer to future paradigms from science fiction like access tokens, implants and biometrically-sealed smart contracts.
