Passwords

This page will explain when passwords are sent over the internet in unencryptable (readable) form. It will also explain the importance of changing passwords periodically, why choosing good passwords is important, and provide methods to help choose good passwords,

When are Passwords Encrypted?

When you use your browser to surf the internet, you may notice that the address your browser shows normally begins with the text “http://”. This is an indicator of the internet protocol used to make the request for the web page and transfer the data. The letters HTTP stand for Hyper Text Transfer Protocol. Hypertext is the type of file used to create pages on the internet which is called Hyper Text Markup Language (HTML).

When web pages are transferred to your browser across the internet they are normally sent in a form that anyone who observes the transmission can easily read. This is considered in the clear. There is a slightly different protocol specified with “https://” in the browser address field. This is secure HTTP and uses Secure Socket Layer (SSL) to encrypt the data being sent. Encryption means that anyone who can see the message would not easily be able to read it. Therefore the data when transferred using HTTPS is not sent in the clear.

Data send using HTTPS is encrypted both ways. In other words, anything you send to the server and anything you receive is encrypted. When you send a password using HTTPS it is always encrypted but when you send a password using HTTP it is not normally encrypted. There are some other technologies which can be used to encrypt passwords without encrypting the rest of the message but it is difficult for most users to tell when these technologies are being used. Therefore, you can only be sure that passwords are encrypted when you access a site beginning with “https:”

Password Types

Based on the fact that all passwords are not encrypted when they are transmitted and a third party could read them and eventually break into an account, I recommend that you keep at least two types of password sets when using passwords on the internet and at your work place. for example you may use passwords for the following:

  • A password at your work place to use mail, store files, and use the internet. *
  • Passwords at websites with forums like this one.
  • Websites with email service.
  • Your banking website. *
  • If you have a website, you may log into your website control panel.
  • If you own internet domain names, you use a password to access your account at your domain registrar. *

The items above that have a star on them should be kept secure and should be encrypted. That means that websites that you go to should begin with “https:” rather than “http:”. Your work place password may or may not be encrypted when you logon to your workplace network but it is only sent on a local network and not across the internet. To be sure if your password is encrypted on your workplace network, ask your system admnistrator.

I recommend that you keep at least two types of passwords for your use. One type of password to be used at work and at secure sites that have you login using the HTTPS protocol. The other type of password should be used when you logon on sites that use the unsecure HTTP protocol such as sites like this one. NEVER use the same password on sites that use the HTTP protocol as you use on sites that use the HTTPS protocol. This is because if someone reads your password sent to an unsecure website, they may try that same account name and password at one of your secure sites.

Password Cracking

When passwords are sent in encryted form over the internet, they cannot be immediatly or easily read. However, there are programs that can take a password in an encrypted form and determine what they are. This is called “password cracking”. Usually these programs take some time to run. Many of these programs will compare passwords to dictionary words (words that can be found in the dictionary) and make guesses at the password value. These programs can crack passwords that have include dictionary words as part of their text even if other characters or numbers are included.

Why Choose Good Passwords?

Choosing good passwords make it more difficult to break an encrypted copy of them down. The more varied the characters used in the password and the further from having the password include a dictionary word, the stronger the password is. These passwords take longer to break into and are considered strong passwords.

Why Change Passwords Periodically?

You should realize that even if you are using a strong password, it is never impossible to crack the password, it will just take more time. This is why you should change your passwords periodically.

How to Choose good Passwords

You should use passwords that are strong passwords at secure sites and at your workplace. The article called Choosing Passwords is an excellent article providing tips about how you can choose strong passwords that you can remember. It defines a recommended minimum and maximum length for passwords and describes the types of characters that should be included.