The first line of defence is your account password. People often say this, and don’t really give any reasons for why this is important. To understand that, we’ll have to see what happens behind the scenes when you enter your password and login.

I have to use a little jargon here, so I apologize in advance.

Password Hashing

Websites rarely store your passwords exactly as you enter them. If you enter a password “bananaMilkshake” the password that the website will store will be 0e299b308b0f54f631c7366945eba963.

The second string of letters and numbers looks like gibberish, but the original password and the gibberish is related through very specific mathematical function called “hashing”. What hashing does is it converts a sentence of any length (1 letter, 1 word, 10000 words or anything else) into a string of letters and numbers of a fixed length. And given the same input sentence, you will always get the same output string of letters and numbers. So even though the hash shown above looks like gibberish, everytime I input bananaMilkshake, it will show me the same hash. However, it is not reversible. So if I have the hash and I want to find the sentence that was hashed, I cannot “reverse” the hash function.

You can play around with it and see how it works here.

If the above paragraph confused you, the takeaway is this — It is an irreversible process to convert a sentence of any length into a string of letters and numbers of fixed length.

The practice of “hashing” a password is a very powerful security tool. When you enter your password, the website calculates the hash of the password and then stores it rather than storing the actual password. This means that if their list of emails and passwords are stolen, then the attacker will not have the actual passwords but only the hashes of the passwords. And since hashes are irreversible, he can’t directly get the passwords.

But there are ways to get around this. There are lists of passwords that are floating around on the internet, and these lists can be huge (several thousand passwords). The strategy that hackers employ is to grab a whole bunch of these lists, hash all the passwords on the list and compare them to the hashes that they stole. If the hashes match, then they know what the password is.

They also use commonly used dictionary words in different combinations. So in our example, bananaMilkshake is a terrible password because they are both dictionary words. But because the “m” is in uppercase it makes the process of figuring out the hash slightly more difficult.

So a long account password can greatly improve the security of your account. However, it is also very important to use a different password for every website — especially websites that hold financial information (like debit card numbers and bank information). A password manager can help with this (I recommend Keepass) by generating a long string of random letters and numbers for each website. You only have to remember one password — the password to the manager itself. It does the rest of the work for you.

Also, do not use CorrectHorseBatteryStaple as your password. It’s on every list anyone has ever made.

Epilogue

I’ve attempted to explain why it’s important to think about safety and privacy online in as simple a manner as I am able. I’ve written another article explaining specific software that can help with these problems.

If you thought this helped, please share this with anyone you think will be interested! The more people that know about it and do something, the less that organizations like the NSA can get away with blanket spying on everyone.