ipsa scientia potestas est

Introduction

Whenever I get into a discussion about the importance of strong passwords, the response I am invariably “challenged” with generally goes as follows:

I am an obscure and unimportant individual. I am not famous. I do not have any political connections. I do not hold any sensitive information online. I am not a hackers high-value target, and therefore I am probably safe.

Here, I will take a moment to discuss how a password works at the “server-side”, and consider a way an attack might be performed. We will find that a single individual is often not directly targeted, but becomes a default victim if a weak password is implemented.

How A Password Is Stored… The Secure Hash!”

Many people probably imagine that when we select a password, the string of text is saved in some sort of flat file or database entry, and that when we “log in” the text we enter is compared to whatever password the server registered against the username.

Back in the early days of the web, this is exactly how things worked.

If you stop and think about it, this is a very bad idea. An attacker could break into the server over the network and steal a list of passwords. Alternatively, someone with legitimate access to the server (such as a system administrator) could simply copy the file and take the passwords home.

Fortunately, passwords are no longer kept in plaintext. (Plaintext is text that has not been subject to any cryptographic cleverness. Ciphertext is the opposite of plaintext.) A cryptographic “hash” is generated from the password and this is then stored. A good hash algorithm cannot be reversed, so you can’t work out what the original password is.

An example of a cryptographic hash is the MD5 algorithm. This is no longer the best algorithm to use when security is important. Better hashes exist, such as those in the SHA-2 family. I will use MD5 as an example because readers probably use MD5 to verify internet downloads (if they are sensible enough to take the time to do so).

So What Happens To Passwords On A Server

Suppose you sign up for a new email account (or web host, or forum profile etc), and you decide to use the password “London2012″ (A REALLY BAD PASSWORD!).

Your new password is sent to the web server. The server then generates a hash. If MD5 is being used (it shouldn’t!) the string “London2012″ will give us the following hash:

95c01f7cb1212eaac5866ff184f05751

The server then stores this hash for future logins.

When you next login and send your password, the server works out the hash for your password, and then compares it against the hash that it has on file. If the two hashes match, then the server concludes that the correct password was entered and you are allowed to login.

Remember that a good cryptographic hash cannot be reversed. We cannot calculate the password from the hash. This means that if the password file is stolen then it is still difficult for someone to log into your account.

So Why All This Strong Password Nonsense?

Suppose a file containing password hashes is stolen from a server. This file might well contain the hashes of several million passwords.

Since this file is so big, we can be confident that someone, somewhere, has “London2012″ as a password. We could calculate the cryptographic hash for “London2012″ (95c01f7cb1212eaac5866ff184f05751) since the hash algorithm is not a secret, and then search the file for this hash. We then find which username has this password and the account is now broken.

A modest desktop computer could calculate a hash and search a password file very quickly. If a list of commonly used passwords is available then hundreds of thousands of passwords could be checked in a few minutes. The operation could be further optimised by the use of rainbow tables. To make matters worse, cloud based services make high performance computing resources available at a modest cost. More simply, the password hashes could be leaked on the internet and breaking the passwords becomes a community effort.

Herein lies the problem. It does not matter how insignificant you are, if you have a weak pasword you are rapidly picked out from the crowd. An attacker does not always target specific people. It is often weak passwords that are targetted.

We often hear stories on the news of peoples passwords being stolen and published on the internet, this is precisely how this happens. The victims in these instances are ordinary people that do not stand out.

If you find out in the news that a service you use has been compromised, change your password. Thousands of people all over the world could be trying to break into your email.

Strong passwords are important. Don’t argue with me, because I won’t bother arguing with you. I’ll nod politely, and maybe even agree so that the conversation moves along to other matters. You are responsible for your own data…