How to secure your online accounts - About Passwords and Passkeys

How to secure your online accounts

About Passwords and Passkeys

Ian Boschung
by Ian Boschung
on June 06, 2024
time to read: 9 minutes

Keypoints

About passwords and passkeys

  • Passwords should be stored salted and hashed
  • Never use the same password twice, because you don't know if it will be safe
  • Use a password manager instead of remembering every password
  • Use passkeys on websites that support it

To check if you entered the correct password during login on a website, it has to store a copy of your password somewhere on its server. Passwords are very sensitive data: If an attacker can access where passwords are stored on a server, he can use it to impersonate all associated accounts. To decrease this risk, it is not recommended to store passwords on servers in plain text but to instead only store the hash of a password. A hash is a special one-way function that makes it impossible to efficiently recover the input from the output. The only way to reverse a cryptographically secure hash function is to pass different inputs to it until the results match, which means that longer and more complicated passwords take longer to reverse: more inputs have to be tried out before the right one is found. We already explained in detail how this can be done in following Article. A web server that only stores password hashes can still check a user’s password by applying the same algorithm again, but an attacker who has breached the password database can not impersonate the user without reversing the hash.

Legitimate login top and an attacker trying to login with only a password hash on the bottom

An attacker cannot use the stolen hash value to impersonate a user, because the server would hash the hash again and it would not match the stored value in the database.

Adding a salt

There is one problem with this approach: Because most websites will use one of very few common hash algorithms, an attacker can precompute hash values of common passwords once and then use this list for all password leaks he encounters. Such a table is called a rainbow table and can also be downloaded for different password lists and algorithms from the internet, e.g. from freerainbowtables.com. To prevent the use of rainbow tables a salt can be used. This is a random value, different for every user, that is stored alongside a user’s password and is appended to it before applying the hash function. This way, the same password will have different hash values on different websites, and even the same password on the same website will have different salt values and therefore different hashes. Note that an attacker who has access to the password database can still use the brute force method to crack a password, because the salt is not secret and is commonly stored in cleartext in the same place as the password.

Why you should never use the same password for different accounts

When you create a new account and set a password, you don’t know how your password is stored on the webserver. Maybe the developers followed best practices and your password is stored both hashed and on a well-secured server, but maybe it is also in cleartext in a text file on an outdated computer. Password breaches are quite common and you may not or only very late know if one of your accounts was leaked. If you use the same password for your Google account as for a small shop with bad IT security that gets hacked, the attacker can not only use the stolen password to access the hacked website but also to access your Google account. If you want to know if any of your passwords have been compromised, you can check your email addresses on ‘;—have i been pwned?.

How a password manager solves this problem

Of course, it is very difficult to remember a different password for every account you have, even more because the passwords should also be long, random, and contain different categories of characters. A solution to this problem is password managers: A password manager is a program that stores all your different passwords encrypted in a way that they can only be decrypted using your master password. Your master password is the only one you have to remember, and you should only use it for your password manager. If you want to log into an account, you first use your master password to unlock your password manager, decrypt your account password, and then copy it into the website’s login form.

Most password managers offer many more features to improve their usability:

Built-in vs dedicated password manager

Many operating systems or browsers nowadays come with a first-party password manager (iCloud Keychain on MacOS, Google Password Manager on Android and Chrome browser). During the last years those started offering apps and plugins for other systems such as theverge.com, or allthings.how, so they are a feasible option. On the other hand, there exist many third-party password managers, both open source and proprietary, for you to use. Some popular ones are 1password, BitWarden, DashLane and KeePassXC.

The advantages of a first-party password manager are that they are usually free (because you already bought a device or installed software from the developing company) and that they come preinstalled with whatever product you use. Many people nevertheless choose a dedicated password manager because they offer more features and allow you to be more independent of the big five companies.

Get rid of passwords altogether: Passkeys

Passkeys are a modern alternative to passwords based on asymmetric cryptography. Instead of using the password as a shared secret between the client and server, an asymmetric key pair is generated, and the public key is saved on the server upon registration. The private key is stored in a passkey provider. During the login process, the web server generates a random challenge that is delivered through the browser to the passkey provider. Instead of authenticating directly to the website, the user authenticates himself to the passkey provider (using biometrics, a PIN, or a master password). The passkey provider then signs the challenge using the corresponding private key and sends the signature back via the browser to the web server, which now verifies that the signature comes from the correct key. While this seems very complicated, the user is only involved in the step where he needs to authenticate to the passkey provider, the rest happens in the background.

Process of using a passkey to log in to a service. Time axis from top to bottom

Passkeys offer numerous advantages:

How can you use Passkeys

All major operating systems and most password managers already support passkeys, but not all websites do. On Passkeys.directory there is a list of websites that support passkeys, and some password managers like 1Password list all accounts where you can set up a passkey. Setting up a passkey is straightforward and you can usually find the corresponding function where you would also change your password.

Conclusion

By following some simple rules you can greatly increase the security of your online accounts and by using a password manager you make signing in more comfortable for you at the same time. By using passkeys on websites that support it you can further protect yourself from security breaches you can not influence.

About the Author

Ian Boschung

Ian Boschung has been taking part in programming competitions since high school and discovered his passion for cyber security during his studies at the ETH with a Master in Electrical Engineering & Information Technology. He focuses on the security testing of web applications and Linux/Unix systems.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
iOS Mobile Application Testing

iOS Mobile Application Testing

Ian Boschung

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here