Either on the internet or in your computer, your data are usually protected with a password of your choice. But what’s behind a password, and why do we always say that one must choose a long one with numbers?
Once you have entered your user name and password, the software or websites verify through their database that the two match. Contrary to popular belief, this kind of software only rarely knows the users’ passwords, as the latter are usually saved in an encrypted version. You can see an example of the above in this very website.
If we enter a word in the first field, for example
password, we can see multiple character strings appearing at the bottom. Every line corresponds to another type of encryption. If we look at the line “SHA-256” (a regularly used format), we notice that
password has become
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8. That is the value stored by the software. We can then verify that other words, such as
Password, yield entirely different values (respectively,
e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a). If encrypted, a password is very short, impossible to decrypt, and we cannot get back to
However, encrypted or not, if someone knows your password, they can access your data. So, how can you avoid the possibility of someone guessing your password?
Why use a long password with both letters and numbers?
One of the methods hackers use to figure out a password is to try multiple words until they get the right one.
A password comprised of N amount of lowercase letters can have 26^N possible combinations, which goes up to 52^N if we add uppercase characters, and further up to 62^N if we add numbers. Therefore, the time needed to find a password increases parallel to the latter’s complexity and number of letters.
Hackers can try about 10 million passwords per second. A password consisting of 5 lowercase-only letters would be found out in barely 1 second (1 minute if we add uppercase letters and numbers). On the contrary, that time increases to one month if the password is comprised of 8 characters, and to thousands of years for 10 characters.
As a matter of fact, these attacks begin with a search in the words that exist in a dictionary. So if your password contains an existing word, it will be found out much faster (
Hellois thus less safe than
Fsken, in the same way
aaaaaaaaaais less safe than
Why not use the same password everywhere?
Though serious businesses store passwords in their encrypted version, some less careful websites may store these passwords in plain text (or encrypt them in a less efficient manner). In that case, an attack on these sites would allow hackers to learn your password. All they would have to do afterwards would be to try it on other secure websites and see if it works.
Why activate two-step verification?
This is the safest method to protect your data. This system is increasingly used by banks; once the password has been typed, we receive an SMS (or we open a mobile app) and we are then asked to enter a second code. As such, one doesn’t only need to know the password to gain access to the data, but also possess the right phone (someone who has guessed the password but has not stolen the phone as well cannot gain access).
Generation of a random password with KeePass
How can one manage all of these passwords? I’d recommend using a tool such as KeePass. KeePass is a free software which allows the generation and storage of all of your passwords in encrypted fashion (if someone has access to the file they cannot read them). Access to these words is protected with a long and safe main password of your choice (which you must not forget), and you’re good to go!
Finally, remember to be sensible. If your data that are stored in the cloud are particularly sensitive and protected by a 25-character password, make sure that simply having your phone stolen would not be enough for someone to gain access to everything…