Earlier this week, I blogged on the massive Adobe password data breach. Today, I’ve come across another password breach that impacted a considerable number of people: over 800,000 people were affected when MacRumors was attacked by hackers. The site was using best practices when it got attacked (salted password hashes).
I forgot to add last time that such breaches are dangerous, at least indirectly, for people who use full disk encryption like AlertBoot.
MacRumors Hashed Passwords, Used “Individualized” Salts
Long story short: someone figured out the password that belonged to a MacRumors moderator. Once inside the site, the hacker made off with the password list for 860,106 people. Thankfully, the passwords were not only hashed but also salted. In fact, a story on arstechnica.com notes that the salts were individualized.
On the other hand, a separate story noted that the salts were 3 bytes long – that is, three characters long – and thus couldn’t truly provide individualized salts. A salt is a string of characters that are added to the password prior to hashing, which will result in completely different hashed results.
For example, let’s say that two users are using the same password, “thispassword.” Without a salt, hashing them would result in the same output (let’s say, “298fj2nfs8wh23h8whewhw”). If the same salt was used (“thispassword” is salted with”321″ and becomes “thispassword321”), then the result would be something else – “39009Q907T094JWEJWOIW2nsjsa” – for both passwords. However, if separate salts were used (“321” and “322”, respectively), then one of the hashed passwords would end up completely different from the other.
So, separate salts are a good thing. However, if they’re only three characters long, it really doesn’t take a hacker too long to guess and hit upon the right one, thanks to the power of today’s computers: it’s just a matter of trying all (popular) password and salt combos until you find one that works.
The true, best practice would have been to use salts that are truly individualized; however, that also means that MacRumors would have needed at least 860,000 separate salts, which is problematic in of itself. (In the area of encryption software, where keys are truly individualized, encryption key management is a big deal. A HUGE deal, which is why a managed disk encryption service like AlertBoot is a godsend to many companies).
Online Spilling into Semi-Offline World
As I noted in the introduction, password data breaches for websites can be a problem for FDE users. How so?
Because people reuse passwords. Just like there are many people out there who reuse their IDs and passwords across different portals, there are people who will use the same password anywhere they can, including as the password to their encrypted computers.
Is the leaching of online passwords to the “offline” world – seeing how a FDE’s password is technically used offline – a realistic concern? I think it is, for a couple of reasons.
First, chances are that, if you have a large enough database, nearly all the passwords that can be imagined by a person will be reflected in it. While the potential for password variation is infinite, there is a limit to how many random characters the human brain can hold (or type into the password field. Even if it were possible for me to memorize 120 consecutive random characters easily, this does not guarantee that I won’t have a typo every time I attempt to type it into the password field, causing me endless frustration and eventually leading me to use a shorter password).
This means anyone looking to break into an encrypted system would do well to start running all the passwords in said database first, and then trying to figure out other ways to guess at the password.
Which brings us to my second reason why breaching online passwords is bad news for FDE. A database of online passwords can reveal not only which passwords, but also what types of passwords, are popular. Such a database can be used by people who are looking to break into encrypted systems as an initial point of attack. How long are passwords, in general? When is a password essentially too long? When forced to use an alphanumeric system, how many people add a number to the end of the password as opposed to starting with a number? Are passwords generally words or combinations of words?
In other words, it gives hackers a rough map of where they should begin. And that’s not a good thing.
Related Articles and Sites: