Password Security
Password security
Over the last couple of years there have been quite a few
instances of sophisticated hacking attempts on major companies.
These include (but not limited to)
When these events occur, it can raise any questions, such as
How does this kind of thing happen?
What can people do with this information?
What can you do to protect yourself?
What can people do with this information?
What can you do to protect yourself?
Let’s try and answer these questions!
How does this kind of
thing happen?
There are lots of different ways hackers use to access information
they are not supposed to have access to.
The majority of these hacks are a result of Malware or a Virus being
installed on a PC in the companies’ network.
This can be used to get access to company resources from the inside
rather than directly from the Internet.
If the Malware can send information back its author, then this can be
very successful for a hacker. To get
Malware onto a company PC it is usually attached via email, hosted on web links
people might click or in extreme circumstances could be left on USB sticks in a
companies’ car park. The latter is
extreme and usually a sign of a targeted attack, but has happened.
The other way hackers can get access to this information is
by using a method called SQL
Injection. SQL is a type of database
used to store website data and this technique attempts to inject code which
generates a response. This technique
uses text entry boxes on a web page (for search etc.), the attacker will enter
SQL commands which in theory can return far more information then it should
allow. Secure minded website providers
will use Text Validation techniques to foil this attack. This stops would be hackers from entering
characters like | * + = and effectively ensures the commands fail.
What can people do
with this information?
Well it depends what information a company holds on you,
typically this information will be Name and Email Address but could include
Address, personal information or any data which has been collected.
This information could be used in a number of different
ways. It could be used for Identity Theft,
Spam lists or to attempt to login to other online services (internet banking
etc.)
The Techie Bit
The majority of information is held in plain text on the
server database. This means if the
database was stolen the data can be easily read. Passwords are usually stored differently;
they can be stored as plain text, be hashed or be hashed and salted.
Hashing
is a mathematical calculation which changes your password to a fixed length
value e.g. the MD5 Hash of 123456 is e10adc3949ba59abbe56e057f20f883e. It is a one way function, so you cannot
reverse the hash to show the initial password.
This is a good starting point; this ensures that if the database is
stolen a hacker cannot read the password easily.
When you login to a website setup with Hashing, your
password is converted to a Hash (either on client side or server side) and
compared against the database. If it
matches, the website will provide you with the relevant access.
The downside of Hashing is that modern computing power
allows hackers to generate Hashes for passwords and cross reference this Hash
against the stolen database e.g. A
hacker has generated Hashes for 123456, 1234567 and 12345678.
Password
|
Hash Value
|
123456
|
e10adc3949ba59abbe56e057f20f883e
|
1234567
|
fcea920f7412b5da7be0cf42b8c93759
|
12345678
|
25d55ad283aa400af464c76d713c07ad
|
The hacker can cross-reference this against the stolen database and workout the user Bob has the password 1234567
User
|
Hash value of password
|
Sam
|
ec121ff80513ae58ed478d5c5787075b
|
Bob
|
fcea920f7412b5da7be0cf42b8c93759
|
Fred
|
daeccf0ad3c1fc8c8015205c332f5b42
|
Modern computing power is great, but it can be difficult to calculate complex passwords or passwords with more characters using this method, because it requires power not only to generate Hashes, but to compare them with the stolen database.
There are tools called Rainbow Tables which take
this a step further. These databases
have the most commonly used passwords and their relevant Hash value. This can save a hacker a lot of time because
they do not have to generate a Hash for every character and length combination
to cross reference against a password.
The last tool a hacker can use is a Dictionary File. This is will contain a dictionary and common
substitutions e.g. @ instead of a, ! instead of I. If the Hash is not something which is in the
Rainbow Table the hacker will need to generate Hashes to compare the data
with. Using a Dictionary file will allow
hackers to generate Hashes from words which might be used in password to
expedite the process.
A Salt
is an extra piece of data which is used in combination with the password
to create a more unique Hash value .
This extra piece of data is automatically added to the password before
the Hash is created, e.g. a user’s password of 123456 could be amended by
adding the word “Salt” to end. When a
user logs in, the word “Salt” will be added to 123456 and a Hash
generated. This will be compared to the
server database and if correct it would allow access to the website.
Password
|
Hash value of password
|
123456
|
e10adc3949ba59abbe56e057f20f883e
|
123456Salt
|
7c7dd7e00f2bd6ba637009f35e05b3e8
|
A Salt changes the Hash value a significant amount and will significantly slow down the use of Rainbow Tables to crack passwords.
Even if the value of the Salt is public knowledge, a
separate Rainbow Table would need to be created with generated Hashes to
compare against a stolen database.
What about
Credit/Debit Card information?
This information is usually held in a separate database
which has extra security controls applied.
This is required to comply with PCI
rules regarding storing financial information. In the vast amount of security breaches
hackers do not get access to this data because it is harder to access, but
there are rare circumstances where this data has been stolen.
What can you do to
protect yourself?
Ok, it is difficult to protect your data when it is being
stored by someone else, but here a few things that can help you.
1. When you sign up for a new web based service or login, ensure that the service uses HTTPS.
1. When you sign up for a new web based service or login, ensure that the service uses HTTPS.
2. HTTPS shows that data transmitted between you and the
website is encrypted. This is will not
protect your data which is stored on the server by itself, but it is a good
indicator that the website is security conscious.
3. If you need to reset your password to access an online service, ensure that they do not send your forgotten password in an email in plain text. If the password can be sent to you in an email, it is being stored as plain text in the server database.
4. Use different passwords for different services. Ok this one is difficult because you will have lots and lots of passwords. A compromise is to have tiers of passwords, so something simple for services which do not hold much information on you, but use something completely different for services which hold financial information on you.
5. Protect your email password!!!! Ensure the password used to access your email is the most secure and is different to anything else. If a hacker gets access to your email password, it is likely they can get access to any of your other online services by using automated password reset routines.
6. Do not use passwords which are mentioned here!
7. Use long passwords. One technique is to use words connected together which are unrelated.
8. If a service provides some kind of 2 factor authentication, try it out. Gmail can send you an SMS code if you logon from a computer you haven’t logged onto before. This means that if a hacker gets your password, they cannot login without physically having your phone.
3. If you need to reset your password to access an online service, ensure that they do not send your forgotten password in an email in plain text. If the password can be sent to you in an email, it is being stored as plain text in the server database.
4. Use different passwords for different services. Ok this one is difficult because you will have lots and lots of passwords. A compromise is to have tiers of passwords, so something simple for services which do not hold much information on you, but use something completely different for services which hold financial information on you.
5. Protect your email password!!!! Ensure the password used to access your email is the most secure and is different to anything else. If a hacker gets access to your email password, it is likely they can get access to any of your other online services by using automated password reset routines.
6. Do not use passwords which are mentioned here!
7. Use long passwords. One technique is to use words connected together which are unrelated.
8. If a service provides some kind of 2 factor authentication, try it out. Gmail can send you an SMS code if you logon from a computer you haven’t logged onto before. This means that if a hacker gets your password, they cannot login without physically having your phone.
If you would like to read more on the topic I recommend the
following article. This covers an
analysis of data which was stolen from Sony and Gawker.
http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
****UPDATE****
9. This is an extension of point 4 which is to get yourself a password manager. This could be 1Password, LastPass or KeyPass. These tools will help you maintain a separate password for each service and will allow you to limit the impact of a data breach without having to manually remember a different password for every service.
****UPDATE****
9. This is an extension of point 4 which is to get yourself a password manager. This could be 1Password, LastPass or KeyPass. These tools will help you maintain a separate password for each service and will allow you to limit the impact of a data breach without having to manually remember a different password for every service.
Comments
Post a Comment