Passwords And Backup
Passwords are an essential part of computer security. So are backups, especially when it comes to crypto. What do you need to know when choosing a strong password?
Passwords are one of those things everyone uses all the time, but no one really considers how important they are. A password is like a door lock, you need one, and you use it all the time, but you only notice it when it's not there anymore or when it's broken. Since security is a key aspect of having and keeping crypto, this lesson will look at:
- How passwords work
- How you can lose your password
- What makes a good password
- The upsides and downsides of different ways to back up your password
How does a password work?
When you set a password for the first time, the following happens:
- You fill out a form with your password.
- The password gets hashed and stored in a database.
- When you try to log in again, you need to enter the same password.
- The password you attempt to log in with gets put through the same hash function and compared to the one you set.
- If they match, you get access to your account.
Sidebar: A hash function is a cryptographic function that converts any input into a fixed-size alphanumeric value. That happens for security purposes before the outgoing value is stored.
Hash functions are a cornerstone of cryptocurrencies. In the Bitcoin blockchain, transactions are hashed and added to blocks.
If someone wanted to find out your password, they have two attack points: either they physically force you to give up the password or crack the hash function to reveal it. A hashing algorithm can only be cracked through brute force, meaning a program has to try out every single possible password combination. You can calculate how long it would take to crack a password through brute force if you know three things: the password length, how many character types were possibly used, and how many hashes can be calculated per second.
How you can lose your password
Let's assume we're working with an eight-core 2.8 ghz processor calculating a SHA512 algorithm. Calculating one has takes 0.0017 milliseconds, resulting in roughly 600,000 hashes per second. The password to crack is r3Dcr0W5. Assuming we know we're working with 62 possible character types (26 uppercase and 26 lowercase letters and 10 digits). Our computer would take roughly six years to crack this password.
But if you use a GPU (a graphics card), you'll be able to hash 50-100 times faster. Supercomputers, for example a botnet with about 100,000 computers, would even be 150,000 times faster. It would take such a botnet only 31 minutes to crack this password. The largest known botnet in the world is 12 million computers strong.
What about a stronger password? We could use %ZBGbv]8. This is truly undecipherable to a human, and it would take our single computer 45 years to hack it. The botnet could get it done in four hours.
Below you can get a feel for how vulnerable your password is:
That's why many websites these days oblige you to use annoyingly long passwords that we find so hard to remember. In principle, there are two ways how malicious actors can go about finding out your password: a brute force attack or phishing.
Not every hacker will have a botnet with thousands of computers at his disposal. Long combinations of numbers, letters, and signs are fairly safe, but not if they are used in ways that can be easily discovered. Hackers can use a dictionary attack, which would simply test all words in a dictionary. This is easy and fast to do, even with basic tools. Also small changes to words through leetspeak (e.g. writing b!tco1n instead of bitcoin) would be rather easy to crack. However, with common sense and a strong password, you can prevent that.
Phishing is another way of trying to get to your password. It refers to redirecting users to a fake site that looks like the original. The user enters his account details, and the password is compromised. Two-factor authentication coupled with vigilance and common sense are good ways to prevent falling prey to a fishing attack.
What makes a good password?
Some fundamental points everyone knows but that are worth being remembered:
- Use a long password - anything under nine to ten characters is too short.
- Use a mix of characters - uppercase and lowercase letters plus a symbol are mandatory.
- Avoid common substitutions - 3th3r3um will be quite easy to crack, make it less obvious.
- Don't use sequential or memorable keyboard paths.
- If you use a word this is barely better than 2-3 random characters
- Try to mix your characters - 8 letters with 2 digits (especially your year of birth) is too predictable
There are a few good methods you can use to come up with strong passwords.
Using a sentence and a system
Could you crack this password?
It takes the first letter from each word in the sentence "I have bought Bitcoin and Ethereum roughly 3 years ago." You could make it even stronger by using the first two letters instead of the first. For example:
This would contain the first two letters of "My mother only drinks red wine on Thanksgiving!" You could even swap the o for a 0 and make it stronger. The key to this method is choosing a sentence that you will find easy to recall.
Creating a mental image
How about this password:
Think of Old Egyptians playing naked golf next to their pyramides 444 BC, and you have a password. Maybe it's not as intuitive at first glance, but images are quite easy to remember, especially if they're absurd.
Here's another one:
Read it as "D-Day began 6th of June 1944". The basic rule is to use something memorable and shorten it.
Common elements with changes
The last technique:
Read those as "Safe Amazon password to use since 2014/Safe Whatsapp password to use since 2017". You can use the same beginning and vary for different websites.
Another tip would be to add emoticons to your password and complete the symbol requirements that way.
Why you need to use 2FA (two-factor authentication)
You’ve probably already come across two-factor authentication. To use it, you need to download an app like Authy or Google Authenticator on your phone. When logging into your account, you will be asked to check the app for the security code. This is a six-digit number that changes every few seconds. After confirming the code, you will be logged in.
2FA is very powerful because once you have set it up, you can only log into your account with the correct code from the app. Since during the setup process, you need to verify the device you will use, no one can log into your account unless they have possession of your password and the phone you use for 2FA. 2FA is encouraged and sometimes even required by major crypto exchanges for account security.
Its worth making sure you have a backup of your authenticator or are able to restore it on a new device in case you lose your phone
The upsides and downsides of different ways to back up your password
Whether you're talking about passwords in general or keys to your crypto wallets, there are a few different ways to back them up.
Back up on paper
You can write down your passwords on a piece of paper and store that somewhere. That's easy and quick to do. It's also a mobile solution. But it's also easy to lose or damage that paper slip. You can have more than one in different places but that adds complexity.
Back up with engraving
A popular solution for cryptocurrency keys is backing them up by engraving them on a ring or another piece of metal. That's a permanent and durable solution. It's also mobile. But just like with paper, it can get lose or stolen.
Back up with master key
Computer solutions like password manager programs store all your passwords for you, so you only have to remember one. That's a convenient option, but you would have to think about whether you want to store a password on a computer. That is equally true for cryptocurrency keys since it doesn't prevent the computer from a ransomware attack, for example. Another option would be to create an extra partition on your computer that is password-secured. This would add an extra layer of security.
Back up on an extra device
You could also use an extra USB stick with a simple text file that contains all necessary information. If this USB stick is secured with a password itself, it essentially works as an extra device for backup. For information related to your crypto accounts, this would be a fairly safe solution.
Having a strong password and good backup methods is a life-saver and an indispensable tool for staying safe on the internet.