In the next installment of Sounds Good's new series, Cyber Bytes, Tracy Ross speaks with Dr. Michael Ramage, Director of the Cyber Education and Research Center at Murray State University, about password safety, including why you should always avoid reusing passwords.
Most people are aware of general password rules. They usually require a lowercase and uppercase number, special character, and must be at least eight characters long. What isn't as well-known, Ramage begins, is why these rules are in place.
"When you put in a password into your system, it goes through a hash function," he begins. "Depending on the hash function, let's say it's a 168-bit hash function. If you put in the book War and Peace or you put in an eight-character password, it's going to end up being 168 characters or bits. That's the way that it works. But it's going to be unique to your password."
"What that means is that if you put in a password on Facebook, Facebook doesn't remember your password. It actually remembers the hash of your password. So, if a hacker broke into Facebook and stole all the passwords, it doesn't steal the 'passwords.' It steals the hashes."
Ramage continues that hackers can obtain these hashes through the dark web. "The very first thing they'll do is take all of those usernames and hashes and try them on Amazon or on a bank or something else." This is where never reusing passwords becomes particularly important.
"If you're reusing your password, especially crossing over between work and personal, it's possible for that hacker to get into that other account using that same password," Ramage explains. If you're notified of a compromised password that you haven't used recently, Ramage recommends changing all of them.
Ramage also recommends using two-factor authentification whenever possible. This form of password protection discourages remote hackers from breaking into your accounts. Third-party apps are even more secure, as false number generators can fake texting verifications.
Of course, memorizing multiple passwords across 20+ online sites can be next to impossible. For this problem, Ramage suggests using a password vault.
"I have 250 passwords. I don't want to reuse passwords, and I certainly can't remember 250. So, I use a password vault. There are some popular ones out there. Last Pass is one that's real popular. Basically, I have to remember a password to get into my password vault. But that's one password. Once I put in that password, there's a file that will have all of my passwords on it."
"There's some debate on if that's safe," Ramage continues. "The password vault is encrypted. So, if you stole my computer or where my vault is, if you had access to that file, unless you know the password, it's encrypted. You're not going to be able to get to those passwords."
For more information on MSU's Cyber Education and Research Center, visit its website. Read the first installment of Cyber Bytes here.
Listen to the full interview here: