This page contains instructions and information to help you get more from our website. If you have any suggestions for improvements, please feel free to contact us.
How to keep your passwords secure
Many of you will know our website was “hacked” in 2012. Annoying as it was for us, it could have been much worse:
Imagine if they successfully hacked in to somewhere much bigger like facebook, ebay, or amazon – they could download the user account database and use de-encryption software to identify user passwords.
This wouldn’t be a huge problem in itself, but for one fact known to the hackers: Most people use the same password for all the websites they access because it’s easier than having to remember a whole set of different passwords.
Most services will store an encrypted (technically, a “hashed”) form of your password. What that means is that hackers don’t get a simple list of user names and passwords. What they get is a list of user-ids and password hashes. What’s good about hashes is that you can calculate a hash from a password, but you cannot do the reverse, so you cannot work out the password from the hash.
As a result, you would think that by being hashed it’d be pretty unhackable, but sadly that’s not so.
Computers these days are fast. In fact, the computer on your desk is so fast that it’s ability to do simple operations is measured in terms of billions of operations per second.
Assuming you use an 8 character password. Excluding special characters for now, you have 62 possible characters (26 lower case, 26 upper case, 10 digits), in each of the eight positions gives us over 221 trillion, combinations. This seems like a lot, until you realize that once you’ve stolen a database of usernames and encrypted passwords, an off-line decryption of all combinations of 8 characters could be completed in a few hours.
It doesn’t matter what your password is. If it’s eight characters and is comprised of upper and lower case letters and numbers, the hackers now have it – even if it was hashed by the service that they stole it from.
Increase your password to ten characters gives you over 850 quadrillion, and the offline guessing time would be measured in months.
Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810), where the offline guessing time would be measured in centuries.
That’s why 12 is better than 10 and both are better than eight. Throw in some special characters as well, and the numbers grow exponentially.
So remember these 2 rules and you can beat the hackers:
Use a different password for each different site login you have. That way a password compromised on one service won’t give hackers access to everything else you access.
Even the best eight character passwords should no longer be considered secure. 10 is better, but you really should consider moving to 12 or more for the long run, and include special characters if you can.
reference material & further reading: