Are they holding my passwords securely?

You will probably have seen in the news recently that a number of well known websites have been hacked, and lists of passwords compromised, so we thought we’d write up an article about password security.

Sites like MyHeritage and TicketMaster are just ones from the past few weeks, and this has been going on for a while.

Many of these websites have stated that they only store the hashed values of the passwords, and not the passwords themselves.

Have you wondered what that actually means? Does hashing a password mean it can’t be used if it’s leaked? What damage could someone really do if they managed to crack it?

In this blog about password security, I’ll explain why this is a problem, what techniques hackers are using to crack the hashed passwords and what you can do to better protect yourselves.

Want to skip straight to the recommendation? It’s at the end of the article 🙂

What is the problem?

Why is it a problem if my password for www.website.com has been leaked? I’ll just change it and the problem is solved. Right?

Let me describe a possible scenario for you (based on many true stories):

Bob has accounts on lots of websites, including www.website.com. He doesn’t want to have to remember different passwords, or type in 12 or more random characters each time, so he picks a reasonably secure, 8 character password of “1GylP0w4”.

www.website.com is breached and a list of usernames and hashed passwords is leaked onto the internet.

An evil person takes the list and runs a program over it (more on how they do that later on) to discover each of the passwords associated with the accounts.

They then take each discovered username and password and start testing it against popular websites like Amazon, Gmail, Office365, LinkedIn, Twitter, EBay etc…

They get a match on your Office365 account, and proceed to send out thousands of phishing emails to each of your contacts asking for payments to be made, and personal information to be shared. As the email has come from “you”, lots of people positively respond.

They also take a full copy of your filed emails for further analysis, looking for any useful information that may grant them access to more of your systems.

As you would still be unaware that they have access to your email account, they setup a rule to automatically forward themselves a copy of any future emails you send or receive.

After analyzing your existing emails, they find a couple of sets of credentials that give them access to other systems.

They also noticed that you have registered for a few other websites so they add an inbox rule to auto-file emails from those websites, and then proceed through their password reset procedures, which are email challenge/response based.

How could you have prevented this?

This scenario could be prevented by using either MFA (multi-factor authentication), and/or using a different password for Office365 and www.website.com.

Why do websites store your password?

The main reason a website stores your username and password is so that they can confirm your identity and provide access to your specific data.

To be able to do this, they need to confirm your identity (authentication).

Username and password combinations are still one of the most common methods of authentication, due to the low cost of implementation and ease of scalability.

In some cases, websites do this because they are providing a commercial service and want to confirm that you are the holder of a paid account.

In almost all cases though, it is to try and keep the data you store in the web service private from everyone else.

What methods do web platforms use to store your password?

I’ve seen a few ways websites can store your password for authentication. They are generally recorded in a database file, along with your email address, username and other personal information.

Here’s a few of the different formats they will use:

Plaintext

The most simple method is to store the password “as-is” in the database. This is commonly called “plaintext”.

This means that if your password is “P@ssw0rd!”, it will be stored in the database as “P@ssw0rd!”

If an attacker gets this list, they have your username and password with no other effort required.

Hash

A very popular way for websites to store the passwords are as hashes. This is an encrypted value so if your password is “P@ssw0rd!”, the hash will look something like “5b5c23c3d23306d390dcf69…….” (truncated).

What is hashing?

Hashing is a mathematical function that takes data as an input and “mangles” it. It’s designed to be a one-way process that cannot be reversed. Or at least is “mathematically in feasible” to calculate the original value from the hash value via a reverse algorithm.

Why would a website want to do that?

So the website doesn’t actually know your password. It only knows the hash output of your password.

The goal is to be able to determine whether the person accessing the website is who they claim to be. So in theory, if the user can present a hash value that matches the one stored on the server, they will be authenticated successfully.

In reality, this is pretty useless, and in most cases, not much of an improvement on storing plaintext passwords. But the idea is that the users actual password is never transmitted over the network.

How can this be cracked?

I said earlier that it’s mathematically infeasible for you to calculate the original plaintext value from a hash value. This is still the case, but there is, unfortunately, more than one way to crack the password.

Most of the methods exploit a weakness with hashing in general, where the hash algorithmwill always spit out the same hash value, if the input is unchanged.

So all we need to do is try lots of different possible passwords as inputs and see if the hash we generate from them match any of the entries on the leaked hash list.

Here’s some techniques the hackers will use to guess the correct password:

Brute force

A crude method that is fairly effective against weak passwords, is a brute force attack. Taking a-z, in uppercase and lowercase, with numerical digits from 0-9, the password cracking tool will simply try every possible combination in order, starting with aaaaaaaa through to 99999999.

You’d think this would take a while, but a powerful computer, with multiple GPUs is able to work through around 10-billion possible passwords per second.

The number of potential passwords increases based on two variables:

• The range of characters used
• The length of the password

The maths behind it is:

(Number of characters) to the power of (length of the password)

So if your password is 7 characters in length, is all lower case, and only letters, the number of possible combinations would be 26 to the power of 7 (i.e. 26 x 26 x 26 x 26 x 26 x 26 x 26, or around 8 billion). If a decently powered computer could get through 10 billion guesses per second, it would take less than a second to crack.

What can you do to defend against brute force attacks?

One way to combat this is to increase the length and complexity of your password.

Just mixing uppercase and lowercase letters doubles the number of available characters to 52, making the possible guesses 52^7 = 1 trillion (1,000 billion), increasing the time required to crack it from under a second, to over a minute.

The more you add, the stronger it gets:

• Add numbers 0-9: 62^7 = 3.5 trillion (around 6 minutes to crack)
• Add all possible ASCII characters (256): 256^7 = 72 Quadrillion (around 83 days to solve)
• Use ASCII and increase password length to 10 characters:256^10 = 1 Septillion (around 4 million years to solve)

Dictionary attack

Ok, so you’ve defeated the brute force attack. You pick a password like “mozzarellasticks”, which is easier for you to remember because you like mozzarellasticks.

To crack that password using a brute force attack would take around 138 thousand years using a single, high powered computer (I appreciate the definition of “high powered” is a little subjective, but you get the idea).

The hackers know this, so look for ways to speed up the process by reducing the number of possible password options.

So what if we just try all passwords in the dictionary instead? Or even two words stuck together

This means we only have a few billion possible combinations to check, bringing the guessing time back down to a few seconds.

If your password is mozzarellasticks, it would be guessed really easily.

What can we do to defend against dictionary attacks?

Add numbers and special characters into your password, so it’s not just a dictionary word.

Smarter attacks?

Ok, so we make the password a bit longer, use special characters and try to avoid just using words from the dictionary, or peoples names.

How about “M0zz@rElla$t!cks” as a password?

Unfortunately, the evil people have smart tools available that prey on typical human behavior. They had already worked out that brute force doesn’t work, and that they needed to find a way to reduce the number of possible guesses needed to crack a password.

There’s various patterns in the way people come up with new, memorable passwords. Here’s a few examples:

• Replacing common letter with numbers:
  o = 0
  a = @
  1 = !
  S = $
  Etc
• Using a limited set of special characters like . ! ? $ @ (people seem to like using special characters they use more often, or are more familiar with!)
• Putting numbers at the end of the password (because the numbers in passwords feel less “natural”, so are thought about after the word(s)
• Putting two words together to form a password

In fact, there are special password cracking tools out there that have been created by analyzing millions of passwords, and determining the most common “patterns” that people use.

So that password you thought was really complex, might not be all that strong.

Targeted attacks

In combination with all the techniques mentioned above, you should also consider the risks of a targeted attack. For an individual, an attacker would gather as many keywords as possible from all online information, including social media. Any information you have ever posted, that isn’t kept private, can be read, and a very targeted word list compiled. This list would include your important dates, like birthdays and anniversaries, your home address and previous addresses, where you went to school, where you work and have worked, all of your relatives names, etc…

Businesses are equally vulnerable. Programs similar to search engine spiders can crawl through the company website and social media posts to gather a good list of words.

To protect yourself against these types of attacks, try to use truly random characters, and avoid anything that could be linked to you via a targeted wordlist.

So what can you do to defend yourself against these attacks?

There’s a few different things, here’s my top list:

• Number one on my list is to use MFA/2FA, requiring either a code sent to you via SMS, or a one time password app like 1Password, Google Authenticator or the DUO Security app. This increases the security of your website logins by a really long way. The attacker would need to crack your password, and then steal your phone, and the chances of both of those hinge happening are incredibly remote.
• Use a password manager like Keychain, 1Password or Lastpass. These apps can generate random, very long passwords for you, helping ensure each of the websites you visit have a different password.
• Always use a different password for each website. That way, if your credentials are leaked and cracked, the damage is isolated.
• Make sure to increase the security of all you passwords, increasing the length and the range of characters to beat brute force attacks, while keeping them sufficiently random so to avoid some of the smarter hacking techniques.
• Check your email address (or even your entire company domain) here: https://haveibeenpwned.com/. It tells you if your email address and associated credentials have been leaked, and by which website.
• More for website developers, if you absolutely have to have a login for your website (and you can’t just use Google or Facebook as an authentication source), make sure you use a strong hashing algorithm like SHA512, rather than MD5 or earlier versions of SHA. Using stronger hashing algorithms considerably increases the time it takes to guess each password.

Summary

User passwords are one of the major vulnerabilities in IT. They need to be secure, but also need to be memorable. Being memorable, usually encourages people towards weaker passwords.

Choosing shorter (8 characters or less) passwords, using words (or combinations of words) from the dictionary, or using information that has personal meaning to you, all increase the risk of being hacked. Hopefully this article has highlighted the fact that a lot of passwords people thought were secure, often aren’t, and if your password is compromised, the damage an attacker can cause is quite severe.

Of course choosing longer, more complex passwords is ok, for now, but it’s only a matter of time before hacking tools and processor speeds catch up. Making even the strongest passwords vulnerable to an attack. That being said, using a password manager that can offer random passwords for you will help.

Going beyond password security, using MFA/2FA is one of the best way to secure your accounts as it still provides protection, even if your password is compromised.