Ludovic Frank - Freelance developer

Passwords... A real headache, but why shouldn't we use the same one everywhere?

ionicons-v5-k Ludovic Frank Feb 16, 2021
82 reads Level: Confirmed beginner

It's a widespread practice, and understandably so: dozens or even hundreds of different passwords to remember, it's complicated.

Nevertheless, you should be aware that it's a very bad practice that can one day turn against you, and as I say, prevention is better than cure.

How are passwords entered on sites and applications?

Before we understand why it's a bad idea to use the same password everywhere, we need to understand how and/or where your passwords are stored.

What happens when you register on a website?

When you register on a website or an application, you fill in your details and there's always the password moment, where you provide the password you want. To check that the password is the right one the next time you log on, the site needs to save it in its database so it can recognize you later.

If the site is correctly designed, it should not know your password... but this is not always the case. Before saving your password, properly designed software performs what is known as "hashing" with your password.

What is password hashing?

Hashing involves using an algorithm to irreversibly (and therefore destructively) transform your password, the result of which is called a "hash".

Roughly speaking, this means that you can easily find the hash of a word, but if you only have the hash, you can't find the word.

For example, if we transform the word "Ludovic" using the SHA-1 hash algorithm, we get ça "7eb3f2fd9d46241cc43fdea76bafc026a80f7b12", isn't that beautiful?

Here I've taken a very simple hash method, there are much more advanced ones, but this allows you to see what your database password looks like.

You wouldn't normally know that "7eb3f2fd9d46241cc43fdea76bafc026a80f7b12" corresponds to "Ludovic" (well, now you know ... ) except that, in fact, if there are methods ...

Is password hashing infallible?

No, there you have it!
To hash a password, there are many different methods (algorithms, in fact), which evolve over time. For example, in the 2000s, the most common was the md5 algorithm, which was used for password hashing.Today, it should not be used at all, as it is no longer secure at all, as it is easily possible to find the word to which an md5 "hash" corresponds, in two ways: brute-forcing and hash databases.

What is brute-forcing on a hash?

When md5 was the standard, our computers and servers were capable of far fewer operations per second.today's machines have nothing to do with what they were back then (just imagine, the smartphone in your pocket is far more powerful than the big servers of the 2000s - how crazy is that?).

The brute force method is very simple: we know the hash, we look for the original word, then we enter the hash into a computer and it tests all possible letter combinations, hashes these combinations, looks at the result of the operation and compares it with the hash we know. If both match... he's found the password.

And now you're thinking "yes, but it can't do many tests per second..." in fact, that's where it gets funny, in 2008 a graphics processor could do 350... million tests per second, so imagine today...

What's more, in the future, quantum computers will explode the number of tests possible per second...

What is a hash database?

Over time, brute-force techniques have created large databases of hashes and passwords, numbering in the tens or hundreds of gigabytes.The use of these databases is very simple: just supply the hash, and if the corresponding result is found in the database, the password is displayed in a few milliseconds.

How can hashes be better protected?

To begin with, hash algorithms evolve over time. I've deliberately taken md5 as the example above, as it is clearly obsolete today.

The grain-of-sand method.

And now you're thinking "What's this, we're putting sand on the server?", but not really, but it's an idea like any other after all.

The idea is to make the original word more complex by adding characters to it.

If, for example, we take the word "Ludovic", as we saw earlier, it's very easy to find this password.

Now let's imagine that, before "hashing" the word, we add characters before and after it, for example "$25b6_Ludovic_wC3bi#".we find the password in the middle and before and after we add characters, making the "original word" much more complex and therefore much harder to find.

Now that you know how a password is stored, it's time to move on to the second part of the problem: normally, a database isn't public... but sometimes there are "data leaks".

Database leaks.

It happens, and more often than you'd think. At the time of writing, there's a lot of news on the Internet about a leaked database of 3 billion Gmail e-mail addresses and passwords.

Leaks are often the result of a site or application being hacked.

This means that the "hash" database of these passwords is in the wild. So, depending on the algorithm used for the hash, it's more or less easy for unauthorized people to recover passwords.

What if you use the same password in several places?

Well, it's easy if one of the databases containing your password ("hashed" or not, as some companies still have passwords in clear text in their databases) ends up being leaked.

The person(s) who will have access to this database will have your e-mail address and your password. Do you see the problem if you use it elsewhere? The person(s) who will have access to the leaked database will therefore have access to a password that you use in several places, and therefore to several accounts.

How can I remember all my passwords?

Having lots of passwords is good for security, as this article explains.

Now, how can you remember all your passwords and have a different one for each service?

Very simply, there are what are known as password managers, and the cool thing is that some of them are free, like Keepass, so they're not expensive.

A password manager remembers your passwords for you, so you use what's called a master password, which only you know.

This master password is used to encrypt your password database, so a strong master password is recommended.

(It is possible to use keys in addition to the master password, but I want to keep things simple in this article).

Conclusion

In this article, I've tried to keep things as simple as possible in order to clearly demonstrate why using the same password in several places poses a real security problem. But exposing a problem is good, providing the solution is better!