Last updated on October 3, 2020
Today we are going to talk about why in recent years we are constantly told that we must establish secure passwords if we want to protect our accounts.
I decided to write this post because I recently pentested a client and exploited a SQL Injection vulnerability (you can read more about this vulnerability here) and got to download their entire database. When I opened the table of users, not only was it shocking to see that they kept the passwords clear, but that users had set passwords such as “carmen01”, “david93”, “Password” or “qwerty”. And the administrator user had decided that “admin2018” was a secure password. Spoiler: it’s not.
So let’s start by establishing what a secure password is. A secure password is a password that no one can guess or get through an automated program. If you read any security post or any official recommendation, you can see that on all sites a secure password is related to a password containing lower case, upper case, numbers and special characters.
But is this really true? No. For example, “zaq1ZAQ!” is not a secure password.
On the other hand, a password that does not contain capital letters, numbers and special characters need not be insecure. Let’s analyze this through a bullet published by XKCD. Suppose we have the following password: “Tr0ub4dor&3”. We could estimate the entropy of this password this way:
In total, 28 bits of entropy. To obtain this password by means of a computer program, we would need to make a maximum of 228 attempts. At about 1000 attempts per second, something that is easy to achieve in a remote attack on a web page, we would need only three days to break this password: it is easy to break. And yet, this is not a simple password to remember.
On the other hand, let’s see what happens if we choose as password four random words from a dictionary, like “correcthorsebatterystaple”.
The entropy of each random word is 11 bits, so by combining 4, we get 44 bits of entropy. This implies that we would need 244 attempts to obtain this password. At 1000 attempts per second, about 550 years. It is a very difficult password to obtain, but very easy to remember:
Obviously, if we choose 4 random words and then make substitutions for numbers and symbols and alter upper and lower case, we will get a much more secure password. But with this post I wanted to show how it is perfectly feasible to set a secure password suitable for all users.
If you can’t think of a safe enough password, you can generate it through pages such as correcthorsebatterystaple.net:
With regard to saving passwords clearly in a database, this is something that is still happening today. How to save passwords securely? Using a hash. A hash is a one-way mathematical operation, that is, from A you can obtain B, but from B you cannot reach A.
In the next post I will talk about hashes and how to break them using the HashCat tool.