Time to rethink your password management strategy before it’s too late.

Posted by Geraldine Hunt on Wed, Mar 11th, 2015

Yes you need to have a password management strategy, one that ensures you create safe and secure passwords.The number of leaked email addresses and passwords exploded in 2014.  Lots of big companies lost hundreds of millions of userids and passwords.  Every day there seemed to be a new news story about a business cyber breach.  Here we explain how passwords get stolen, how passwords are stored, and provide some strategies for how to avoid becoming a victim. What happens with all these stolen passwords? Sometimes they’re simply put up for sale. There are websites selling user/password combinations for lots of popular businesses—Amazon, Walmart, Dell—for just $2 each.

How passwords are stolen:

What are the ways that hackers steal passwords?

• Hackers steal the whole Active Directory or LDAP database.
• Hackers install keystroke recording software.
• Hackers use phishing attacks to get users to enter their credentials into a fake website.
• They use social engineering like shoulder surfing or begging a customer service person to hand it over.

What’s the Damage?

If someone breaks into your database and steals your userids and passwords can they log into your applications?  Not usually, unless the hacker is trying to attack a program that will accept the hashed value of the password.  But that’s not very likely unless they are attacking some low-level kernel function.  Most commonly they need to decode them first.

Password Encoding

Passwords are encoded, not encrypted.  To encrypt something you need an encryption key.  But the password is a single item, so there is no key.  It is encoded instead by applying some type of hashing algorithm to it.  An application verifies that the password is correct by running the hash function over the password.

Passwords are entered in clear text.  Authentication works by taking the string that the user entered, running a hashing function against it, and then checking whether the hash of the password matches the value of the hashed password stored in the password database.

Consider the hashing algorithms used on UNIX systems or Oracle LDAP.  The hashing algorithm to use is configured in:

/etc/security/policy.conf

If you want to change the system to use MD5 then you change

CRYPT_DEFAULT=__unix__

To

CRYPT_DEFAULT=2a

You can usually tell in an LDAP system what algorithm was used to encode the password, because that is stored with the password value.  For example, here is an example password with the crypt algorithm on UNIX.

userPassword: {CRYPT}XXXX

Dictionary Attack on Passwords

A hacker can create a dictionary of hashed values and simply look there to see if the hashed value of passwords they have stolen matches the hash value of any words that they have hashed and stored in their own dictionary (database). That’s called a dictionary attack.

For example, a hacker can create a database of MD5 hashes by feeding different combinations of letters and characters and lengths into the MD5 algorithm.  Since a password always produces the same hashed value when the MD5 hash is applied to the cleartext, if the hashed password a hacker has stolen matches a hashed value in their database then they know the original password.

This works in actual practice because people use shorter passwords than the 255 MD5 hash limit thus making the mathematical orders of magnitude simpler.  Not many hackers are going to take all the possible letters in the ASCII character set over all possible combination from lengths 1-255 and run those through the MD5 algorithm and store those values.  That would take many years of computing time.  Instead they can do this with 5 or 8 letter passwords and that would work for 98% or more of people.

Why are you still using one password for multiple accounts?

One weakness with passwords is people tend to use the same password for multiple accounts.  Did you know that over half of all Internet users admit to using the same password for every account? Studies of major password breaches over the past 10 years show: