It starts with a strong passphrase

posted by Ben Hayden on Tuesday, August 14, 2018 in SHAZAM Blog

I continue to read about data breaches that stem from weak passwords. As a cybersecurity consultant, I’ve wondered what it will take to get folks to increase the security of their passwords, and it finally occurred to me: Maybe people don’t understand what a password actually is. If this is you, don’t feel bad. I have no idea how to valuate a bond or determine the structural integrity of a bridge.

What is a password? The dictionary tells us it’s a word that grants us access or admission to something. In computer terms, a password gives a user access to something that’s otherwise forbidden.

How does a password work? When you create a password, it’s run through a mathematical function called a hash algorithm. The input is your password — let’s say “summer2018.” The password is typed in and the output is an alphanumeric string with a fixed length. For our example, it’s 32 bytes long. So, no matter how many characters the password has, the output is always the same length. This output is commonly referred to as the “hash.”

Once the hash is created, the system that the password is being generated for saves the hash, along with your username, in a file. Each time you attempt to log in, the system takes what you typed in the password field and runs it through the same hashing algorithm. The information is checked to ensure the output matches what’s saved in the file. If it matches, access is allowed. If it doesn’t match, access is denied (when the system is operating correctly). This all happens very quickly — computers can do something like four billion things per second!

From this explanation, you might be able to see the problem: Attackers could pre-emptively take every word in the dictionary, run each through the same hashing algorithm, and then compare the hashes to the password file they stole or purchased on the dark web. (Remember, computers can do something like four billion things per second. It won’t take long.) Once a match is found, they have your password. Warning: Attackers can figure out the hashing algorithm, and files like this can be found on the dark web.

For these reasons, security professionals preach to use passphrases rather than passwords. A passphrase is a series of words, and the additional characters add to the complexity. Of course, this also tells us to use uncommon phrases, as they’re less likely to be “guessed.”

Many security experts use this explanation to justify moving to biometrics or realistic authentication. The measurements and calculations of the body — including fingerprints and faces — are stored as data. Once collected, these measurements are run through the hashing algorithm and the output is saved. When you attempt to log in, the two outputs (username and hash) are compared, just as is done with passwords and passphrases.

What if someone steals the hash of your fingerprint measurements? Can you “change” your fingerprint like you can change a password? The simple answer is no.

In a best-case scenario, systems should use layered security — requiring multiple security pieces. This is sometimes referred to as multifactor authentication: something you know (like your long, complex passphrase), plus something you have (a security token, a physical device that creates a new code every few minutes).

As much as we may wish, passwords aren’t going away anytime soon. Having a better understanding of how they work may help users develop stronger passwords and passphrases, yet in the end, we’re only as strong as our weakest link. Unfortunately, all too often, humans are the weakest link.


  1. cybersecurity
  2. password
  3. security

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney. 


comments powered by Disqus