Welcome to AppFail
You last visited: never

Welcome to AppFail

Posted on 2010-04-03

Security Post

A recent article How I'd Hack Your Weak Passwords by John Pozadzides only seemed to reinforce some old misconceptions about passwords which do more harm than good. Things have changed significantly in the past ten years and people need to be more aware of the implications of changes in how passwords are stored, and the tools that are available to crack them. Read on as I will explain the ins and outs of protecting your passwords and the data behind them.

The first thing that bothers me about the article was the list of the top ten weak passwords. It has been many years since the majority of websites and applications started requiring your passwords to be at least six or eight characters long. Most also require a minimum of one capital letter, and a number or non-alphabetic symbol to extend the character set that a cracker has to run though. The biggest threat to your password is not that it will be cracked by someone constantly attempting password combinations against your twitter login, but rather it will be disclosed somehow. There are a number of ways that a password can be disclosed; one of the most common and least appreciated forms of hacking is social engineering, the process of getting people to give you sensitive or private information that they are not authorized to have. This is how hackers get information like the birth dates of your children, your favourite novel or author, the name of your home town and other information they can use to attempt to compromise your password. Another very common form of attack is what is known as phishing, whereby the attacker creates a website that looks and feels like a legitimate website, whether it be twitter, your online banking site, or a corporate intranet. By making a site that resembles an authentic site, the attackers are able to trick users into entering their credentials, which are then logged and can be used to access not only the targeted site but any other sites where the users have inadvisably used the same username and/or password. A third possible way that your password can be disclosed is if the password database on one of the sites you are a member of is compromised. Even though most password databases do not store your password in plain text, raw hashes can be attacked using a technique called rainbow tables quite quickly, and even properly salted cryptographic hashes (more on this later) can eventually be cracked. A rainbow table is a form of the "time memory trade-off" attack, where the attackers use the fact that hashing algorithms are deterministic (meaning that the same input always generates the same output) to use a pregenerated table of clear text to hashed outputs. This allows the attacker to lookup the hashed version of your password and find out what the clear text is much more quickly than with brute force.

One of the recommendations made by John's article was to transform your password into 'l33t' speak, to make it harder to crack. While adding numbers to your password does increase the character set, and therefore the number of possible combinations of which your password is only one, using a systematic approach like replacing o's with 0's is not advisable. When people adapted and started replacing certain letters with numbers that looked vaguely similar, the crackers adapted too; standard cracking tools such as John the Ripper have built in 'word mangling' functions which take a standard password list (dictionaries, common passwords, bits of information the hacker has gathered about you) and generate a number of permutations of each word to exhaust all of the standard substitutions that people make. It is therefore more advisable to insert random symbols in the middle of words rather than to try to follow any type of scheme because if you do have a system for generating the password, the same system can be used to crack it.

While it is advisable to use a different password for each different site or service that you use, it is also important not to fall into a pattern where they just use the same password and append the site name or some identifier to the password. If that pattern is obvious, then someone who manages to get your password for one service can easily try it on another service and just substitute the name of the service. So instead of using the same password (MyPassw0rd) for each service, using MyPassw0rd@geemail for gmail and MyPassw0rd@tweet for twitter would seem to be an obvious solution. You would end up with an easily remembered password that is specific to each site, but this is actually a dangerous pattern to fall into. Patterns such as these make you feel more secure, but in all reality once the main part of the password is compromised, all of the passwords generated with this scheme are also compromised.

Password managers would also seem to be a solution to the problem of remembering many different strong passwords for each different service you use but they can also be a single point of vulnerability to an attacker which therefore eliminates the majority of their usefulness. Password managers often store all of your credential combinations in plain text and then encrypt that using a single master password. If an attacker manages to compromise that password &#emdash; either through brute force, a key logger, or some other method &#emdash; they now have unfettered access to all of your credentials and everything that is protected by them.

Unlike what the article suggests, online cracking is far less practical than it was historically because most services will automatically block an IP address after an excessive number of attempts and almost all will require the user to solve a captcha after even a few failed attempts. With the speed and parallelism of today's computers it is much faster and more practical to do an offline attack against hashed passwords than it is to try to brute force passwords against a remote server. The main disadvantage to attempting a brute force attack on a remote server is that the remote server is aware of what you are doing and may act to prevent your attack, whereas if you are cracking the password database offline the remote site may not be aware of the compromise. While online cracking does still happen (the twitter administration website was compromised this way a while back because it lacked any rate limiting or lockouts), it is not the preferred method of compromise accounts. A flaw that is taken advantage of in some cases is the password reset functionality. If you have weak security questions or if the email address that the new password is sent to has been compromised (another example of a successful attack against twitter), then the attacker can reset your password (on all accounts that use that email address) and not worry about what your previous passwords were.

John's article presented readers with a table of time versus password complexity that seemed to be poorly explained. It seems the table purports to be the amount of time it would take to generate the list of password combinations not attempt to crack them; however, this is not a useful metric and no information was provided about how these numbers were calculated. John also added that "If Google put their computer to work on it they'd finish about 1,000 times faster". This is a very misleading statement because password cracking scales linearly, each time the number of computers is doubled the length of time required to crack a set of passwords is halved. It is also misleading to presume that only Google has the resources to put a large number of computers to work cracking passwords. With the advent of botnets and cloud computing, anyone can distribute a workload across a massive number of computers to crack passwords much more quickly. See a previous article on the Problems with DES for password hashing and the economics of using Amazon EC2 to crack passwords.

For a more detailed look at how passwords are stored using one-way encryption (cryptographic hashes), how those methods can be attacked, and how to mitigate those attacks, see my previous article on What is a Hash. For more information on how your passwords can be compromised (disclosure, exposure, inference, guessing and cracking) and other outdated security practices, see another previous article on the Myths of Password Security.

So how do you protect yourself and your passwords? Now that databases are no longer limited to storing your password as a fixed length of eight or twelve characters and passwords are usually hashed before they are stored, it is entirely possible for you to create a password that is actually a combination of many words or a sentence, called a pass phrase. It is still important to randomly insert special characters and you probably don't want that string of random characters to be recognizable (such as a phrase from a book or TV show). Having true password security requires the entire process to be secure, from your computer, the networks in between, and the service at the far end. Your computers must be secure; having no key loggers to disclose your password, and no trojans or viruses that can allow an attacker to take over your computer after you have logged in to the service. The connection to the remote server must also be secure from snooping, always login over an encrypted connection such as TLS (SSL), SSH or a secure VPN to ensure that no one is capturing your traffic or any passwords that are sent in the clear. Finally the remote service itself must be secured: it should be protected from impersonation with a valid TLS certificate, should have a properly secured databases to prevent disclosure, and should be patched against all know vulnerabilities. Security is not an off the shelf application or a piece of hardware you can buy; it is a state of mind and a way of thinking about the world around you.


blog comments powered by Disqus

Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare - Any man can make a mistake; only a fool keeps making the same one.

Digg Proof Hosting
The key to surviving Digg and Slashdot is Infrastructure. You can't get it from a regular web host, it requires experience. The High Load Hosting Experts at ScaleEngine can make your site thrive, and avoid having your site featured on AppFail.

Cyber Security Alerts

Page Generated in 17ms