By Rajat Bhargava Posted November 18, 2013
We’ve discussed elsewhere about how password complexity is fairly moot. So long as the application doesn’t allow your adversaries to make too many attempts at guessing your password, you’re reasonably safe.
The real issue that people are trying to solve with strong passwords is the risk that they will be compromised. Companies like LinkedIn get hacked and all of their stored passwords are stolen. In most cases they’ve been smart enough to hash and salt these passwords, but weak passwords can be reversed anyway. If you’re using a dictionary word, or anything fairly simple, an adversary can simply try each potential password against the hash and figure out what you’re using for a password.
But why do you care? The bad guy is already on your account. You can assume that they’ve read your private emails, downloaded your images, whatever. Sure, the damage on that particular site is done. However, more danger is to come. Bad guys intend to use that same password on other sites that they HAVEN’T hacked.
The analogy with physical locks breaks down here a bit, but imagine if it was possible to reverse-engineer and recreate your physical key by breaking into your lock. You’d be very wary of sharing the same key across different locks, right? Some locks are inherently less secure than others, both in regards to accessibility (like the lock that you use on your bike and leave in an isolated location) and in their implementation (those silly luggage padlocks). In that bizarro-world, when someone had the opportunity to crack your bicycle lock, then they’d have access to your home, and your car, and your safe deposit box. But that’s precisely the position most people put themselves into on the Internet.
That is the real vulnerability of passwords – their reuse. Some web applications are not very good about keeping your password secure. Having a strong password can (possibly) help keep your individual password safe on these occasions, but even that’s not guaranteed. Unique passwords ensure that your other applications are still safe even when one application is compromised.
Avoid Password Reuse With JumpCloud®
If you would like to put these password safety approaches into use, try the Directory-as-a-Service® platform from JumpCloud. We have a number of core password security mechanisms that you can try with your team, including password rotation, reuse, and complexity. We also are big proponents of multi-factor authentication which dramatically changes the game of password security.