Password & Data Security Guide

Why Security Matters

Passwords remain the primary authentication mechanism for most online services. Despite the rise of biometrics and hardware tokens, your password is often the only thing standing between an attacker and your personal data, financial accounts, and digital identity.

The scale of password-related breaches is staggering. Billions of credentials have been exposed in data breaches over the past decade. The "Have I Been Pwned" database tracks over 12 billion compromised accounts. When credentials from one breach are used to attack other services (a technique called credential stuffing), the damage multiplies. In 2024 alone, the average cost of a data breach reached $4.88 million globally.

Understanding security is not just for security professionals. Every internet user benefits from knowing how to create strong passwords, how data is protected behind the scenes, and what makes systems vulnerable.

How Passwords Are Stored

When you create an account on a website, the server must store your password so it can verify your identity when you log in. However, responsible services never store your actual password. Instead, they store a hash of your password.

Hashing vs Encryption

• Encryption is a two-way process. Data is encrypted with a key and can be decrypted back to the original using the same key. Encryption is designed to protect data in transit and at rest.
• Hashing is a one-way process. Data is transformed into a fixed-length string of characters. There is no key to reverse the process. Hashing is designed to verify data integrity and store passwords securely.

When a service hashes your password, even if an attacker steals the database, they cannot directly recover your password from the hash. They must attempt to guess passwords, hash each guess, and compare the results.

Salting

A salt is a random string that is combined with the password before hashing. Each user gets a unique salt, stored alongside their password hash. Salting prevents attackers from using precomputed tables (rainbow tables) and forces them to crack each password individually.

Modern password storage combines salting with slow hashing algorithms like bcrypt, scrypt, or Argon2. These algorithms are specifically designed to be computationally expensive, making brute-force attacks impractical.

Common Attack Methods

Attackers use several methods to compromise passwords. Understanding these attacks helps you understand why certain defenses exist.

Brute Force Attacks

A brute force attack tries every possible combination of characters until it finds the correct password. With modern hardware, attackers can try billions of combinations per second. The defense is simple: make the password space large enough that exhaustive search is infeasible. A 6-character lowercase password has about 308 million combinations and can be cracked in under a second. A 12-character password using all character types has about 5.4 x 10^23 combinations, which would take trillions of years.

Dictionary Attacks

Instead of trying random combinations, a dictionary attack uses a list of common passwords, words from dictionaries, and known password patterns. The "rockyou.txt" wordlist, derived from a 2009 data breach, contains over 14 million passwords and is still effective because many people continue to use passwords from that list.

Credential Stuffing

Attackers take lists of username-password pairs from data breaches and automatically try them on other services. This works because a majority of people reuse passwords across multiple sites. If your credentials were exposed in one breach, attackers will try them on your bank, social media, and email accounts.

Phishing

Phishing attacks trick users into revealing their passwords by impersonating legitimate services through fake emails, websites, or messages. No amount of password complexity protects against phishing because the user voluntarily hands over their credentials.

Keylogging and Malware

Malicious software installed on a device can record keystrokes, capture clipboard contents, or take screenshots. These attacks bypass password security entirely because they capture the password as the user types it.

Password Entropy & Strength

Entropy is a measure of randomness in a password, expressed in bits. Higher entropy means a password is harder to guess. The entropy depends on two factors: the length of the password and the size of the character pool.

The formula is: entropy = length x log2(pool_size)

Examples:

• 8 lowercase letters: 8 x log2(26) = 37.6 bits
• 8 mixed case + digits: 8 x log2(62) = 47.6 bits
• 8 all characters: 8 x log2(95) = 52.6 bits
• 12 all characters: 12 x log2(95) = 78.7 bits
• 20 all characters: 20 x log2(95) = 131.2 bits

Security experts recommend a minimum of 60-80 bits of entropy for strong passwords. The NIST guidelines (discussed below) emphasize that length matters more than complexity: a 20-character random password is far stronger than an 8-character password with every character type forced.

NIST Password Guidelines

The National Institute of Standards and Technology (NIST) published Special Publication 800-63B, which significantly updated federal password guidelines. The key recommendations include:

• Minimum 8 characters, but encourage longer passwords (up to 64 characters).
• No maximum length restriction (or at least 64 characters).
• No composition rules(do not require specific character types like uppercase, numbers, symbols). These rules often result in weaker passwords because users find predictable ways to satisfy them (e.g., "Password1!").
• Check against breached password lists: Screen new passwords against databases of known compromised passwords.
• No periodic forced changes: This leads to predictable patterns (e.g., "Password1!" becomes "Password2!").
• Allow all printable characters and spaces.
• Use rate limiting and lockouts to prevent brute-force attacks.

Password Managers & 2FA

Password Managers

A password manager is software that securely stores your passwords in an encrypted vault. Key features to look for:

• Zero-knowledge architecture: The service provider cannot see your passwords. Encryption and decryption happen locally on your device.
• Cross-platform sync: Available on all your devices (desktop, mobile, browser extensions).
• Autofill: Automatically fills login forms and can help detect phishing (the manager will not fill credentials on a fake site).
• Password generator: Creates random, strong passwords with configurable length and character types.
• Breach monitoring: Alerts you when your credentials appear in known data breaches.

Popular options include Bitwarden (open source), 1Password, and KeePass (local, offline). The best password manager is the one you will actually use consistently.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step beyond your password. Even if your password is compromised, an attacker cannot access your account without the second factor. Methods ranked by security:

1. Hardware security keys (YubiKey, Titan): The most secure option. Resistant to phishing because the key verifies the actual domain.
2. Authenticator apps (Google Authenticator, Authy, Aegis): Generate time-based one-time codes (TOTP). Much more secure than SMS.
3. SMS codes: Better than nothing but vulnerable to SIM swapping and interception. Avoid when better options are available.
4. Email codes: Similar security to SMS. Useful as a backup method but not ideal as primary 2FA.

Enable 2FA on every account that supports it, especially your email, banking, and social media. Your email account is particularly critical because password reset emails for other services are sent there.

Hash Functions Explained

A hash function is a mathematical algorithm that takes an input of arbitrary size and produces a fixed-size output called a hash, hash value, or digest. The same input always produces the same output, and even a tiny change in the input produces a dramatically different output.

For example, the SHA-256 hash of the word "hello" is:

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Change it to "Hello" (capital H) and the hash becomes completely different:

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

All hash functions share these core properties:

• Deterministic: The same input always produces the same hash. This is essential for verification.
• Fixed output size: Regardless of input size (one character or one gigabyte), the output is always the same length. SHA-256 always produces a 64-character hexadecimal string.
• Avalanche effect: A small change in input produces a completely different hash. This prevents attackers from predicting how changes to input affect the output.
• One-way (for cryptographic hashes): Given a hash, it should be computationally infeasible to determine the original input. This is what makes hashing suitable for password storage.
• Collision resistant: It should be extremely difficult to find two different inputs that produce the same hash. While collisions are theoretically possible (pigeonhole principle), they should be practically impossible to find deliberately.

Hash Algorithm Comparison

MD5 was designed in 1991 and is cryptographically broken since 2004. It is still used for non-cryptographic purposes like checksum verification and cache keys.

SHA-1was published in 1995 and was broken in 2017 (the "SHAttered" attack). Major browsers stopped accepting SHA-1 certificates in 2017, and Git has been migrating to SHA-256.

SHA-256 is the recommended default for most applications. SHA-512 provides a larger hash size and is faster on 64-bit platforms, but SHA-256 is more widely supported and sufficient for virtually all use cases. Both are part of the SHA-2 family and are currently secure with no practical collision attacks known.

bcrypt and Argon2 are deliberately slow, making them ideal for password storage. Argon2 won the Password Hashing Competition (PHC) and is the current best practice for new systems.

File Integrity Verification

One of the most practical uses of hash functions is verifying file integrity. When you download a file, especially software installers or large datasets, you can verify that the file has not been corrupted or tampered with by comparing its hash against a known good value.

How File Verification Works

1. The publisher computes the hash of the file and publishes it alongside the download.
2. After downloading, you compute the hash of your copy of the file.
3. If the two hashes match, the file is intact. If they differ, the file was corrupted during download or has been tampered with.

For most purposes, SHA-256 is the best choice for file verification.

Practical Example

You can verify a file hash from the command line:

# Linux/macOS
sha256sum downloaded-file.zip

# Windows (PowerShell)
Get-FileHash downloaded-file.zip -Algorithm SHA256

UUID & JWT Security

UUID v4 Randomness

UUIDs (Universally Unique Identifiers) are 128-bit identifiers commonly used in databases, APIs, and distributed systems. UUID v4 generates random UUIDs with 122 bits of randomness (6 bits are fixed by the version and variant fields). This provides an astronomically large keyspace, making accidental collisions virtually impossible.

However, not all UUIDs are equally random. UUID v1 is based on the host MAC address and timestamp, making it predictable. UUID v7 (draft) uses a timestamp prefix for sortability with random bits for uniqueness. If you are using UUIDs as security tokens or session identifiers, ensure you are using a cryptographically secure random generator.

JWT Structure & Security

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and authorization. A JWT consists of three parts separated by dots: header.payload.signature.

• Header: Specifies the algorithm (e.g., HS256, RS256) and token type.
• Payload: Contains claims (user ID, roles, expiration time).
• Signature: Ensures the token has not been tampered with.

Common JWT vulnerabilities to be aware of:

• "none" algorithm attack: Some libraries accept tokens with {}"alg": "none"{} in the header, bypassing signature verification entirely. Always validate the algorithm server-side.
• Weak signing secrets: Short or predictable HMAC secrets can be brute-forced. Use at least 256-bit secrets for HS256.
• Algorithm confusion: An attacker may change the algorithm from RS256 (asymmetric) to HS256 (symmetric) and use the public key as the HMAC secret to forge tokens.
• Sensitive data in payload: The payload is base64-encoded, not encrypted. Never store passwords, API keys, or other secrets in JWT claims.

Security Utilities & Resources

KnowKit provides several utilities to help you practice good security hygiene:

• Password Generator: Generate strong, random passwords with customizable length and character options.
• Hash Generator: Compute MD5, SHA-1, SHA-256, SHA-512, and other hashes from text input.
• UUID Generator: Generate UUID v4 identifiers for testing and development.
• JWT Decoder: Decode and inspect JWT tokens to verify their contents and claims.
• Credit Card Validator: Validate credit card numbers using the Luhn algorithm without sending sensitive data to a server.

Security is not a one-time setup but an ongoing practice. Use a password manager, enable 2FA, verify file integrity, and never reuse passwords. These habits, combined with understanding how systems protect your data, dramatically reduce your risk of compromise.