My response to all this?
John Adams don’t give a shit about the PSN hack.
Why is that?
Chances are you have a few passwords for accounts to your e-mail, social media web sites, blogs, and maybe a forum or thirty. And if you’re like most people you’re probably using the same password for most, if not all of those web sites. It’s probably a word like a pet’s name, a favorite sports team, or the name of someone you love. You may have even tacked on a number to the end of your password for reasons you’re not quite sure, but do so because someone somewhere told you it made your password “better”. Born in August of 1976? You’ve probably used a password like “August76”. A Chicago Cubs fan? I bet you and a few hundred thousand others use something like “Cubs1908” as a password.
Your passwords are quite easy to guess. A little internet search of your name will quickly reveal all sorts of details (birth dates, relatives, pets’ names, etc.) It takes all the work out of gaining access to your internet accounts.
But perhaps you’re a little more clever than that. Maybe you’ve stuck a special symbol like a dollar-sign ($) or a ampersand (&) onto your password so password-guessing assholes couldn’t find your simple password. Wrong! There’s all sorts of programs out there that specialize in automating password guessing by taking a base pattern (“Cthulhu28”) and starts adding special characters onto it and tries each one in turn (“Cthulhu28!”,”Cthulhu28@”,”Cthulhu28#”,…)
Congratulations! You’ve successfully delayed your account from being cracked by several minutes!
AH! But you’re actually very, very clever, aren’t you? You are not your parents’ password. You’ve found a combination of letters, numbers, and symbols that are (or at least appear to be) random. Perhaps you’ve discovered a favorite trick of mine in choosing a password. Create a phrase in your head and take the first or last letter in each word to make up your password. Maybe substituted the letter I for the number 1 and the letter s with a dollar-sign ($).
“Honey Badger Don’t Give A Fuck!” would become “hbdgaf!”. Sure looks random and not something that can be quickly guessed. The only way someone is going to get your password with a bit of brute-force.
The example password “hbdgaf!” is 7 characters long. Figure 26 lowercase letters + 26 uppercase letters, + 10 numbers, + 10 symbols gives a possible 72 characters for each character of your password. The total number of possible passwords is the number of possible values for each character (72) raised to the power of the number of characters in the password (727) giving us about 1013 (or 10 trillion) possible passwords. A typical consumer computer bought off the shelf a year or two ago (in other words, the thing you’re using to read this) will take about a half a year of constant work to go through all possible passwords.
That’s too much work to invest just to get into your crappy Facebook account. But this does show why many companies and universities require users to change their password at least twice a year. Someone motivated to crack your password is going to be very sad to discover you’ve changed your password after they just spent half a year cracking a password that no longer works.
Now let’s go back to the recent unpleasantness of the PSN hack. If you have a PSN account, the hash of your password was exposed. What the fuck is a hash? It’s not something you smoke, it’s a math formula. Your password is stuck into the formula and the result is a big-ass number that is unique (well… mostly) to your password. And no formula exists that can take this big-ass number and figure out the original input used to create the big-ass number.
Hashes make computer systems more secure because your password hash, and not the password, is what the computer system stores in its database. When you log into the system, the system will hash your password and compare that hash to what it has in its database; if they match, you get in. If the system is ever cracked, your password is still safe. (Unless the cracker sticks something into the system to record passwords as they come in, in which case you’re fucked! But let’s not worry about this more-likely scenario and stick to the theoretical masturbation I’m enjoying as I write this.)
There is, however, a way to defeat hashes. There are programs available that will generate hashes based off dictionaries and/or use brute-force and compare each hash to the one taken from the cracked system. Find a hash match and you’ve found the password for that account. But, again, this can take a very long time, especially if you’ve used a clever password. So we’re right back where we were, right?
The smart cracker is a smart cookie (but also fucking stale cookie ’cause he’s a dick for breaking into the system in the first place) and uses rainbow tables. Rainbow tables are basically really big lists of hashes. Got a few terabytes of storage laying around? You too could generate your own rainbow table! These things are massive, but storage is cheap. Calculate a hash once, stick it into the table, and you never have to bother calculating it again. Get a few friends, or a few thousand online people working together and it doesn’t take long to cover the ten trillion possible passwords in the example given earlier in the document.
There are many freely available rainbow tables for download. There are also some places that allow you to simply input a hash and it’ll check its rainbow tables for you; no messing around with having to download all this data.
Suddenly this hash thing seems not so secure.
Got a PSN account? Is the password for your PSN account also used for Facebook or Twitter or your work? Someone with the hashes taken from the PSN and a rainbow table could have had your password within in minutes of PSN being cracked. They could have already read your e-mail by now. Maybe downloaded some personal photos you’d never want to see the light of day. Or maybe just got into an online store you frequent and bought a few things.
This is why you should never use the same password more than once. Because no matter how secure a given system may be, no matter how well it was designed, if it’s cracked and your password is exposed, any other system you use that same password is also exposed.
I have a different password for each system with which I have an account. That’s hundreds of different passwords. Each one is comprised of random letters, numbers, case, and special characters. Each one is as long as the maximum allowed by the system in which the password is used. You should do the same.
But how the FUCK do you remember hundreds of passwords made up of random characters? There’s a simple answer to this: you cheat.
There are many programs available that will manage all your passwords. The one I use is KeePass. Whenever I need a password I open KeePass, enter in the account details, have KeePass generate a new password for me, and use that password to create the account. The next time I need to log into the system I just open up KeePass and look up the system into which I’m trying to login.
The password database is encrypted using a password. This is the one password you have to remember. It is also where I apply that trick of turning a phrase into a random(ish) password. In the interest of making the password especially long, rather than just taking one letter from each word I’ll type out the whole phrase. I’ll usually have a password that’s over 60 characters long!
But what if you need to log into something when you’re not at home?
My solution is to take KeePass with me using KeePass Portable. I just stick the application onto a USB drive and hook the drive into my keyring. Wherever I go, my passwords go with me.
It is very important to create backups. There’s a copy of the password database on my main computer, a copy on my thumb drive, and a few other copies stored in various locations both online (such as an attachment to an e-mail sent to a GMail account) and offline (another thumb drive, netbook, etc.). This way if my computer fries or I lose my thumb drive I still have my passwords
It may sound a little risky at first, but just a little bit of care and consideration is all it takes. I’ve been using this solution for nearly 10 years and haven’t had a problem.
So the next time a system with your password on it is cracked, you too won’t give a shit.