Monday, January 30, 2012

Passwords Hacking and Encryption

I studied encryption in the late 90's and some into the 21st century. I haven't made much mention of it here, despite the word "crypt" showing up in the title of this blog.

But with the recent hacking of the Zappos section of Amazon, I thought I would put a few comments about passwords and encryption in here. This is the first of about 4 to 6 articles I plan to write on the subject.

I would have thought the handling of passwords in the commercial world would improve over time, but alas, there is no profit incentive for things to improve. And, in fact, there is some cost involved, so it seems that most passwords today are handled in much the same way they were 10 years ago.

A little bit of history.

The first encrypted password storage system that I am aware of was crypt3. This system, while merely designed to prevent the local unassisted hacker from gaining access to passwords on a system, was very advanced for its day. The password was salted, that is, a random number was added to the end of the password. Then it was put through a fairly complex encryption formula and the result was stored, along with the salt. When you logged in, the salt was read and added to what you typed and then it was encrypted and compared with the stored value. In addition to a fairly complex encryption formula that ate up some time to compute, the salt insured (at the time) no one would build a dictionary of words and their stored values.

Earlier versions of network long on systems used a simpler formula and no salt, leaving them more vulnerable. To counter that, system administrators began insisting their users use more complex passwords.

Ideas were put forth on how to make the passwords stronger by using very sophisticated salting techniques (called stretching and strengthening), and I have seen systems that use such techniques.

I haven't studied, in detail, the current state of the systems that are in use, but I can tell you that the system of stretching and strengthening passwords that I studied 10 years ago is still considered good. And I can tell you it is not widely used. This is a sad commentary on how commerce will use a quick and dirty system rather than a good one.

So, how does this impact us today?

When a website gets hacked, the hackers often try to get a copy of the password database. This was one of the things done when Zappos website was hacked. Then they will proceed to try every conceivable password (and today, this will include foreign languages and such things as "LEET" alphabets) in an attempt at gaining access to the accounts where they may order products, change addresses, or create some other chaos.

With the current system, weak passwords will fall very quickly (even instantly) and even those with modest strength can be cracked very quickly. To resist this attack, a password must be extraordinarily long and complex. Current guidelines to government computer users who don't have "smart card" access is 14 characters, with lots of things like numbers and punctuation included. And don't use the same password for any two systems. And they want to change them every few months. This, of course, leads to writing down passwords or other such things the system administrators don't like.

In the past passwords could be tried at a rate of millions per day. Today, but using cloud computing to imitate a supercomputer, that has become billions per day.

In the past, I told people to use a secret word and either a word or some letters related to the website they are logging into. This is still good enough for things like leaving comments on product reviews or newspaper forums, but with some hackers using cloud computing to imitate a supercomputer, the threat has become much greater when there is money involved.

What can the common user do?

Well, for those of us unfortunate to not have "smart card" access, but fortunate enough not to have to deal with government administrators (or those who were trained by government), those of us who live in the real world, there is hope.

Two things provide hope for real world passwords. First is the reality that the hackers will not expend a huge amount of resources to crack every last password from a database they acquired. This isn't about national secrets, and the particular hackers we are worried about aren't in this for much more than either a quick thrill or money. So, the effort to crack passwords will be practical.

They will attack the easiest ones, and probably crack most of them. But if there are a few that stand up to that attack, they don't know if a sustained attack will yield any further results. So, at some practical point, they will give up. The bad news for people in general, is that the attack is likely to yield more than 98% of the passwords, as most will not take that much effort. But the good news for us is that it is not too hard to be in the other 2%.

In reality, most people will have to defend against two separate threats. Those threats are "shoulder surfing" and hackers. The shoulder surfer is the person who, simply observes you typing in your password and writes it down. In reality, the more common threat is they find where you wrote it down, and copy it. The hackers most of us have to contend with are very remote from us. Nigeria, China and Russia are the places that come to mind, though in reality, they are in every country in the world. But, chances are, they don't have access to your physical area. On the other hand, commercial hackers, driven by greed, have vast computer resources at their disposal.

To defend against two threats, I suggest a three step approach. To contend with the vast computational resources, create a sting of numbers and letters. These can be too long to memorize, but you can write them down (preferably were your web cam cannot clearly see them, just in case one of your videos goes "viral"). An example would be "7tPwa5" which is 6 characters long and includes upper case, lower case, and numbers. I don't include punctuation, since some sites don't allow that.

Next, you need to take care of the requirement to use a different password for each web site. I suggest, for each website, use a couple letters or a letter and number that you can easily associate with the site. For Zappos, for instance "Zs" (first and last letters) or for Amazon, you could use A6 (there are six letters in Amazon). Keep this pretty consistent, so you will remember what the method is.

Finally create a secret word. This is the only part of your password that will change from time to time, and is your primary defense against the shoulder surfer.

To put them together, use your two letter site designator, followed by the random string of numbers and letters. This would make Amazon "A67Pwa5" for the first 8 characters. Then follow that with your secret word. If "Grinch" is your secret word, that would make the result in a password of "A67Pwa5Grinch" which is 14 characters long.

You may want to change that last part from time to time, if you think someone has figured out what your secret word is, but there is generally no reason to change the rest of the process, unless you know a complete copy of one or more of your passwords has been compromised and is available to hackers.

The methodology here may not work on many networks as many log-on programs in use defeat their own security by keeping a copy (theoretically encrypted) of your older passwords, and on the periodically required password change, will flag that you are reusing some part of your old password. While this keeping of old passwords is self defeating, it provides a lot of self aggrandizement for network administrators who think they are doing more than the next guy.

Also, some government network log-on's will flag portions of the password that appear to be a dictionary word. Fortunately, most of these networks already use smart card log-on so none of this article applies.

Links and further information.

hacking of the Zappos
In today's Internet driven world, all of us use one or other applications starting from browsers, mail clients to instant messengers. Most of these applications store the sensitive information such as user name, password in their private location using proprietary methods. This prevents hassle of entering the credentials every time during the authentication.

However it is important to know that this secret information if landed in other person's hands either accidentally or by destiny then it can easily put your privacy at risk. Some applications take utmost care to secure these sensitive information from prying eyes. But most applications use simple methods or rather obscure methods to store the credentials which can easily put your privacy in jeopardy as any spyware on your system can easily uncover these secrets. Also it is equally true with any one who has access to your system.

. . .

Here are the highlights of top features of ThunderbirdPassDecryptor which makes it stand apart from other similar tools including commercial ones.
Instantly decrypt and recover the stored encrypted mail account passwords from 'Thunderbird Password Store'
Supports recovery of passwords from local system as well as remote system. User can specify Thunderbird profile location from the remote system to recover the passwords.
It can recover passwords from 'Thunderbird Password Store' even when it is protected with master password. In such case user have to enter the correct master password to successfully decrypt the mail account passwords.
If you have set the master password for your Thunderbird, then you need to enter the same in the 'master password box'.

Passwords with simple character substitution are weak
and this includes hackerspeak like LEET

The fact that cloud computing can be used is found in many articles, as below, but the conclusions of most of the articles are completely wrong.
"I think that cloud cracking can be useful in the future because of its massive parallel nature. You can start a 100 node cracking cluster with just a few clicks," Roth told ZDNet UK on Tuesday.

Next time: smart cards and biometrics


Steve Finnell said...

you are invited to follow my blog

TRex said...

I chose to allow the above comment, despite it having nothing to do with the subject of passwords and hacking.

The site is a Bible based religious site, and while I haven't looked closely at it, the author of the site seems sincere.

TRex said...

I got a message with the following
Anonymous said...
Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your site? My blog site is in the exact same niche as yours and my users would genuinely benefit from a lot of the information you provide here.
Please let me know if this okay with you. Cheers!
my page - gmail hacker

If the commenter read my copyright page, he would know I give that permission freely there. But his comment about his sight being in the same niche as mine is way out in left field. I try to keep people from being hacked, and his purports to show them how to hack others.

In addition, what his sight really wants you to do is to download his program, which very well may be a trojan that will hack you.

Stay away from him.