A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.
But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.
Yes. Yes it was. One of my oldest accounts was already involved in 5 major leaks and 1 minor leak. Some of them contain pretty sensitive information (no, I did not have an Ashley Madison account). The website claims to have logged over a staggering 2.6 Billion accounts. Notice the B in Billion. That’s more accounts than the entire human population in 1950. Of course, a lot of those accounts overlap and some that I examined are not 100% accurate but it is still a very high number.
Here you can see the top ten sites to leak passwords.
Does Someone Know My Password?
Notice that the Yahoo breach is not there, add 1 Billion accounts more, plus another 500 Million on another Yahoo breach. Does this mean that the attackers automatically have my password? Well, it’s not that easy.
When you create an account somewhere and send in your data, your password is not (hopefully) stored in clear text. Usually it is not stored at all, only an irreversible hash representation of it. In a nutshell, instead of storing the plain text password, a cryptographic hash function is used to calculate a value based on your password and this is value is what gets stored. There is no way to reverse the process and get the password from the stored value. This is the good news.
The bad news is that the hash function chosen by the website can be critical for your security in the event of a data leak and you have no control over that. Despite the fact there is no way for an attacker to reverse a cryptographic hash function, it is pretty easy to test if a given password matches a given hash function output value. This is a process known as brute-forcing; a program runs every possible combination of passwords through the algorithm and compares it to the leaked hash value. If they match, they know your password. This is why longer passwords with more character variety (punctuation, capitalization, etc.) is universally recommended — it’s harder to brute force.
Just as a reference, an attacker with an already outdated AMD HD 5970 graphics card could brute force different hash function implementations at the speeds shown here in millions of tries per second.
As you can see, a website that chooses the right hash function to store its passwords can dramatically reduce the speed at which a brute force attack can run by several orders of magnitude (in case of a leak). These numbers represent the attacker using just one, fan cooled, graphics card. Imagine using a data center, refrigerated by 1.7 Million gallons of water, like NSA Utah Data Center. But let’s not dwell into state sponsored attacks.
The hash function can (and should) be complemented by using what is called a salt. A salt is essentially a random number ‘added’ to the password before the hash function runs. This ensures that the same passwords result in a different hash output values, so that if an attacker cracks any given password in a list other users that share that password are not affected since their salt is different. This adds an additional layer of security.
Not all leaks are alike in severity. For example, The NetEase leak contained clear-text passwords, pretty much as bad as it gets. The Yahoo leak contained some MD5 hashes. The LinkedIn leak contained SHA-1 hashed passwords in which no salt was used. The following days more than 90% of all passwords had been cracked. The Dropbox leak had usernames and salted hashes of passwords, half of them SHA1, half of them bcrypt, which is pretty good given the circumstances. Leaks security impact mileage varies a lot.
So What Can You Do? Trust No One.
It’s clear that you cannot trust any website when providing your password since you usually have no choice or knowledge on how they will handle it. Since you can’t enforce any website into safely storing your password, what can you effectively do? Well, you can stop using 123456 as a password. And I don’t mean use the more secure version, 123456789, either. You! Yes, you!
I know, I know, Hackaday readers are an informed audience and surely have not chosen any password in the 2016 most common passwords but if this warning worked for one person that’s already worth the pun. There is just no way to believe that 17% of the folks reading this right now use them. Right?
No matter how good the algorithms are and how they are used, no security can protect the users from their own selfs. Can you answer this in all honesty that you have never had a Top 25 password?
- Don’t choose obvious passwords. Really don’t. Even if you think no one cares about you or your particular account and you’ll never be a target of a malicious attacker. This include words, names, dates, phone numbers. Ideally use lower/upper case letters with numbers with 10 or more chars.
- Don’t choose obvious security answers either. What good is it a 30 chars long password when your security question is your mothers maiden name?
Since you can’t control how passwords are stored, don’t use the same password for all your accounts. This one can get tricky. It can be hard to remember that extra secure password, but chose one different for every account? That’s just too hard. In case you don’t happen to have photographic memory, you can reduce the number of passwords you need to remember by categorizing your accounts into different types. Less sensitive accounts can have an easier to remember password, but this does not mean 123456 is acceptable.
- When possible, use two factor authentication (2FA). An increasing number of websites already provide 2FA, either via email or SMS. This can drastically reduce the impact of a stolen/leaked password. Consider using a hardware token in critical accounts, like Yubikey.
- Check online for any leaks that might have affected you. Change your passwords accordingly. If you used it on multiple websites, they too must be changed.
Some say to use a password manager. I must admit I dislike putting all my eggs in the same basket. It has advantages and disadvantages, you should definitely think about it and make an informed decision if this is right for you.
My Advice: Do Your Own Thing
When writing this article I keep thinking common sense. But common sense is not enough. Working in the security industry I know how hard it can be implementing an effective password policy in a company. It’s easy to talk about in theory, and a pain to approach in practice. If you make it too complicated, you’ll start seeing post-it notes appearing everywhere. Make it too simple, and successful brute-force attacks start showing up like mushrooms.
My advice is to spend some time thinking about your passwords and find your own thing. What’s your own thing? For some it can be the way that they pronounce their password letters. Despite being random, choosing passwords with some rhyme or musicality when read results in something that sticks in your head. For others it might be invented words from childhood. Throw in some numbers you know but aren’t public or attached to your person. Choose your own sign or punctuation char(s) to mix in.
I understand that this might sound a bit vague but it works. For this to work, it has to be vague, otherwise it’s my thing, not yours (and will probably end up coded somewhere in John-the-Ripper rules). I’ve seen this method turn a room of people into random password generators in less than half an hour but, as everything, it’s takes some persistence. Anyway, my advice is my own, I’m pretty sure a lot of you disagree with the method.
“Good passwords are hard to memorize. I’ll just write them down on a piece of paper.”
Well, there are worst things to do. I mean, where do you put your credit card? If you really can’t memorize it, sure, write it down and keep it safe, like in your wallet. The keep it safe part is important, you don’t leave your credit card around in public places right? I bet you don’t tape it underneath your keyboard either. Over fifteen years ago [Bruce Schneier] saw this coming. Keep a duplicate copy somewhere really safe, like an actual safe. Plan ahead so that if someone steals your wallet or wherever you keep your passwords, you can rapidly change them.
The future of passwords and overall authentication mechanisms is widely debated. Some say passwords are dead and the future is biometrics. Hackaday has been known to argue against that. Some, like PayPal, say traditional biometrics aren’t the way but an easier to use, “Embeddable, Injectable and Ingestible Device” solution is ideal. What if you could authenticate just by thinking about it? And how would that unique identifiable data would be stored? Would we gain security or just trade the challenges we face now for another set of challenges?
In any case, remember, “password” is not a good password.