Passwords and Password Management

How encryption is broken

Generally, passwords are cracked through either brute-force attacks, dictionary attacks or some clever social engineering. Brute force attacks are essentially using every combination of letters, numbers (and some special characters) possible.

For example, ‘a’ then ‘b’ then ‘c’ … then ‘acaaa’ then ‘acaab’ etc.

Dictionary attacks are a little more sophisticated as they use a combination of words from the dictionary combined with different rulesets that dictate how a password is formed using those words.

Social engineering is an effective way of hacking someone’s password as it takes advantage of human incompetence and predictability. Social engineering uses a combination of words or numbers that might have a special meaning to the targeted person like their birthday, daughters name etc.

What is hashing

A hashing function is a function that converts your password to a string of random characters and numbers of a certain length (depending on the function).  So, ‘TestPassword‘ would be converted to ‘6250625b226df62870ae23af8d3fac0760d71588‘.

One important thing to note is that the hashing function is a one-way function i.e. ‘6250625b226df62870ae23af8d3fac0760d71588‘ cannot be converted back to ‘TestPassword‘. This hash is what is stored in the database of a website, thus even on database getting compromised, (if the site is not using MD5 hashing) your original password is secure.

One important property of a hashing function is that even a small change in your password would generate an entirely different hash.



Why use password managers then?

Remembering username and password combinations for many sites is a rather hard task, thus we generally use the same username and password combination in multiple sites. It’s not hard to figure out that this is not really the best way to enhance your security on the web. Some sites may use an outdated password hash function such as MD5 or may have loopholes that could result in your password being leaked and all your accounts compromised.

This is where an offline password manager comes in. Offline password managers (like LastPass and DashLane) store your password locally using strong crypto-hashing functions like SHA1, SHA256 which are neigh impossible to break currently. Passwords are stored offline and for only you, so chances that hackers will target you are also negligible. Password managers generally have password generators that you can use to generate unique and really strong >15 character passwords.


When storing you password online, you are putting your security at the hands of others (generally who might be the target of an attack). Secure yourself at home, use different passwords, and save them offline using the encryption services of a password manager. This will ensure one data breach doesn’t cause all your accounts to be compromised.

Other Stuff