Posted by Kevin on April 26, 2015.
We are told to use strong passwords – a long and random mix of uppercase, lowercase, numbers, punctuation and special characters. The reason is to make them difficult to crack.
Well, that’s only half true. A password is a password is a password. It doesn’t need to be cracked. It’s what it is – it’s the password, the key to open the door.
It’s not the password that needs to be cracked, it’s the ‘encrypted’ (preferably hashed and salted) representation of the password that needs to be cracked. Service providers, as their part of the process of keeping our passwords secure, should not store our passwords. Instead, when we create a new password, they should ‘encrypt’ that password with a strong and slow hash algorithm, add a random salt and store the result. Whenever the same process is applied to the same password it will get the same result.
When we access the service of a service provider we usually need to use our password. When we enter this, it is hashed. The hash result is compared to a list of the hashed results stored by the provider. If the result tallies with the hash associated with our username, the door is unlocked and we can access the provider’s service. If it does not tally, we are assumed to be a miscreant and are locked out.
So, for bad guys to get into our account, whether that’s for financial services, email, cloud storage, or a magazine, all they need is our password (our username is more often than not just our email address).
Now, if the bad guys manage to hack the service provider (easier and more common than you might think), they can simply steal the database of hashed passwords. This is why we need a ‘strong’ password. The bad guys have huge lists of precomputed hash results. If our password is a word that exists in any dictionary, we can assume that its precomputed hash exists in the bad guys’ own database. All they need do is look up the hash result they have just stolen and they have cracked our password.
Long and random mixes of uppercase, lowercase, numbers, punctuation and special characters are not likely to exist in precomputed hash databases, and our password is likely to remain secure even if the service provider gets hacked.
Provided, of course, he hashed them in the first place. If he did not, and he gets hacked, we’re buggered. He just gave the bad guys our password. It doesn’t matter if that password is the longest, strongest, meanest most random collection of characters and special characters under the sun; it’s just been given away. And, of course, its just been given away for every account where we use the same password. Company B could have the strongest security imaginable, but it’s useless if company A gives away the passwords.
There are suggestions that up to 30% of websites that store our passwords do not hash them. Our problem is that we don’t know who they are. Worse than that, we don’t know if they’ve already been hacked and have already given away our passwords. Quite likely, the service providers themselves wouldn’t know if they’ve been hacked; and quite probably, they have been hacked.
But there is one clue. If we forget our password (and who hasn’t occasionally forgotten those long and random mixes of uppercase, lowercase, numbers, punctuation and special characters), we can tell the provider and he will allow us to set a new password. At least that is what should happen. Sometimes, however, he will send us our existing password by email.
And that’s when the alarm bells should ring. If he hashed our password and stores only the hashes, then he doesn’t know our existing password. If he sends it to us, the ONLY way he can do this is if he has it stored somewhere in plaintext. And if he has it stored ANYWHERE in plaintext, then it can potentially be stolen. And if he has already been quietly hacked, we may have already been quietly buggered.
So I was surprised and dismayed when DWPub sent me my old password in plaintext by email. DWPub operates several databases, including the one that I use (but not for much longer) that comprises a searchable database of freelance journalists and writers.
I would strongly suggest that all journalists who use the DWPub JournalistDirectory should think long and hard about the password they use. If bad guys can get it, then mischief can be done. But even more importantly they should search their memory: have they used this password elsewhere – because that or those accounts are also at risk. Change the passwords.
I have asked DWPub to explain how my password is protected. I’ll update this with any response.Submitted in: Expert Views, Kevin Townsend's opinions, News, News_encryption |