Passwords are compromised…again!

Password are once again in the headlines as accounts are breached, the public are warned of the dangers and we all do…well…nothing.

It certainly feels like password issues are in the media and on blog and journal updates every single week, and as important as it is for us to all take note to protect our accounts and secure our personal data, I can definitely understand why some people might have reached saturation point with the advisories and warning messages.

Let us be fair to users of online accounts, there are so many passwords to decide on and remember for countless numbers of accounts that you use once in a blue moon, how on earth are you going to remember them all?  The easy way out has been to either use the same password (which I think we all know is a bad decision) or to have a “system” to remember your passwords.  Having a strong system to generate and remember strong, complex passwords is a great way to protect your accounts from direct attacks and brute force efforts made by hackers.  If you did happen to upset anyone with the ability to launch a attack on your accounts (which basically only requires someone to have access to youtube and about 30 minutes of free time these days) then your device/account will likely be secure thanks to your secure password.  We’re constantly told that this is the way forward, and fair enough, it is a very good step in the right direction.

However, what happens when your secure account is then breached because the company or organisation storing your account details is breached and your credentials are stolen?  The general response is one of frustration, upset, panic and a urgent need to change your password before anyone can infiltrate your account using the compromised details.  The worrying thing is that this more likely to happen than to have someone targetting you specifically.  So whilst your account is nice and secure, your secure credentials are stolen by the baddies anyway and you have to (yet again) change your password.  If your system is the classic password with a number on the end representing the month (this is why so many companies now enforce a 13 month password non-reuse policy) or similar then it causes havoc for your system (and I do say this slighyl tongue in cheek).

We know that these attacks happen, one old example being the famous linkedIn breach of 2010, whereby close to “6.5 million” user account details were stolen.  Not a particularly good day for LinkedIn, but we all got through it.

The same year we also had a breach on RockYou Inc whereby “32 million passwords were exposed”.   At the time we were all pretty lapse on cyber security, passwords were an annoyance but hacking stories were a rarity and us as members of the public just saw computer hacking as a thing of either exceptional circumstance or simple myth.  The statistics from the linked article suggested that “30% of the passwords in the hacked list were six characters or smaller, while 60% were passwords created from a limited set of alphanumeric characters. Nearly 50% of the users had used easily guessable names, common slang words, adjacent keyboard keys and consecutive digits as their passwords.” with combinations such as 123456 being the most common of all exposed credentials.

After six years of developments, improvements in security technologies and a heavy focus in the last 12-18 months on educating the public and businesses in password strengths and protection of credentials, you would like to think we may have learned and our credentials are safe.  However, a recent article on digital forensics magazine explains how research completed by SecureData on 1.5 million compromised accounts found some worrying statistics.  Essentially they found that “SecureData could crack 92% of passwords* where the compromise included the hashed, or one-way encrypted password.”.  There are caveats to this and I would encourage you all to read the article, but that is worryingly high percentage, and suggests to me that the passwords were very weak indeed.

For those unaware, hashing passwords is common good practice, and no website should store passwords in ‘plain text’, which means storing them in exactly the same format as you type them, i.e. the password database literally storing the username “User” and password “Password” in a database as the pairing “User :  Password”.  As you can imagine, this isn’t good, and so instead passwords are generally hashed.  This means the password you provider is put through an algorythm (usually MD5 or SHA-1 currently) and a set character sized “hash” is produced.  So your password of “Password” would actually produce the MD5 hash of dc647eb65e6711e155375218212b3964, which would be what gets stored in the database.  Then when you type your password into your web browser to login the web server hashes what your typed and looks to see if it matches.  If it doesn’t then it rejects the password.  If you typed the hash in then the web server would then hash the hash, which would produce the MD5 hash of b8498ee29e56e711a268ae8cc461ae94 and thus the passwords would not match.  This means simply stealing the credentials and using them isn’t good enough for criminals.

Ever wondered why when you click “Forgot my password” you are never sent your password??  Well it is because the database only stores you hash and doesn’t actually KNOW what your password is, and so it needs you to enter a new one immediately instead.  This is a good sign…if they ever send you your password then it means that it is not stored in a hashed format.  Worrying!

But, the Digital Forensic Magazine article suggests that these passwords can be breached?  Well, a common technique for cracking hashed passwords is a thing called a ‘rainbow table’ and we use them forensics now and again.  Bascially, as the hash algorythms don’t change, the same word with the same characters (case sensitive too) will always produce the same hash value.  Therefore, you can actually hash all of the common words and common phrases, number combinations and the like, put them into a rainbow table and then simply compare ALL the hashes you want to crack against all of your already known hash values.  So if you use just dictionary words with numbers on the end, these will likely be in a rainbow table and your password will be cracked.  Once the hash matches they can simple look at the plain text conversation and type that in.  This is why COMPLEX passwords of great length are so important, as they are less likely be in someone’s rainbow table.  These things can literally reach millions of millions of combinations, so you need to be inventive.

Unfortunately passwords are likely to be here to stay for a while and announcements of breaches and compromise are going to be a regularl occurance.  We need to try to ensure we don’t switch off and forget that despite how irritating and frustrating these things can be, your personal data is at stake.

Have strong passwords, change them if they’re breached, don’t hand them out to anyone and be careful who and what you allow to access your details on your accounts.  A good way to check for your own account security is to visit and type in your account email address.  This will tell you whether your details have been compromised in any known breaches.

Ultimately, when online simply trust nothing and check everything…then you may be ok for a little while 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s