Thursday, August 14, 2014

Password Security


  Password security

Over the last couple of years there have been quite a few instances of sophisticated hacking attempts on major companies.
These include (but not limited to)
When these events occur, it can raise any questions, such as
How does this kind of thing happen? 
What can people do with this information? 
What can you do to protect yourself?
Let’s try and answer these questions!
How does this kind of thing happen?
There are lots of different ways hackers use to access information they are not supposed to have access to.  The majority of these hacks are a result of Malware or a Virus being installed on a PC in the companies’ network.  This can be used to get access to company resources from the inside rather than directly from the Internet.   If the Malware can send information back its author, then this can be very successful for a hacker.  To get Malware onto a company PC it is usually attached via email, hosted on web links people might click or in extreme circumstances could be left on USB sticks in a companies’ car park.  The latter is extreme and usually a sign of a targeted attack, but has happened.
The other way hackers can get access to this information is by using a method called SQL Injection.  SQL is a type of database used to store website data and this technique attempts to inject code which generates a response.  This technique uses text entry boxes on a web page (for search etc.), the attacker will enter SQL commands which in theory can return far more information then it should allow.  Secure minded website providers will use Text Validation techniques to foil this attack.  This stops would be hackers from entering characters like | * + = and effectively ensures the commands fail.
What can people do with this information? 
Well it depends what information a company holds on you, typically this information will be Name and Email Address but could include Address, personal information or any data which has been collected. 
This information could be used in a number of different ways.  It could be used for Identity Theft, Spam lists or to attempt to login to other online services (internet banking etc.)
The Techie Bit
The majority of information is held in plain text on the server database.  This means if the database was stolen the data can be easily read.  Passwords are usually stored differently; they can be stored as plain text, be hashed or be hashed and salted.
Hashing is a mathematical calculation which changes your password to a fixed length value e.g. the MD5 Hash of 123456 is e10adc3949ba59abbe56e057f20f883e.  It is a one way function, so you cannot reverse the hash to show the initial password.  This is a good starting point; this ensures that if the database is stolen a hacker cannot read the password easily.
When you login to a website setup with Hashing, your password is converted to a Hash (either on client side or server side) and compared against the database.  If it matches, the website will provide you with the relevant access.
The downside of Hashing is that modern computing power allows hackers to generate Hashes for passwords and cross reference this Hash against the stolen database e.g.  A hacker has generated Hashes for 123456, 1234567 and 12345678.
Password
Hash Value
123456
e10adc3949ba59abbe56e057f20f883e
1234567
fcea920f7412b5da7be0cf42b8c93759
12345678
25d55ad283aa400af464c76d713c07ad

The hacker can cross-reference this against the stolen database and workout the user Bob has the password 1234567
User
Hash value of password
Sam
ec121ff80513ae58ed478d5c5787075b
Bob
fcea920f7412b5da7be0cf42b8c93759
Fred
daeccf0ad3c1fc8c8015205c332f5b42

Modern computing power is great, but it can be difficult to calculate complex passwords or passwords with more characters using this method, because it requires power not only to generate Hashes, but to compare them with the stolen database.
There are tools called Rainbow Tables which take this a step further.  These databases have the most commonly used passwords and their relevant Hash value.  This can save a hacker a lot of time because they do not have to generate a Hash for every character and length combination to cross reference against a password.
The last tool a hacker can use is a Dictionary File.  This is will contain a dictionary and common substitutions e.g. @ instead of a, ! instead of I.  If the Hash is not something which is in the Rainbow Table the hacker will need to generate Hashes to compare the data with.  Using a Dictionary file will allow hackers to generate Hashes from words which might be used in password to expedite the process.
A Salt is an extra piece of data which is used in combination with the password to create a more unique Hash value .  This extra piece of data is automatically added to the password before the Hash is created, e.g. a user’s password of 123456 could be amended by adding the word “Salt” to end.  When a user logs in, the word “Salt” will be added to 123456 and a Hash generated.  This will be compared to the server database and if correct it would allow access to the website. 
Password
Hash value of password
123456
e10adc3949ba59abbe56e057f20f883e
123456Salt
7c7dd7e00f2bd6ba637009f35e05b3e8

A Salt changes the Hash value a significant amount and will significantly slow down the use of Rainbow Tables to crack passwords.
Even if the value of the Salt is public knowledge, a separate Rainbow Table would need to be created with generated Hashes to compare against a stolen database. 
What about Credit/Debit Card information?
This information is usually held in a separate database which has extra security controls applied.  This is required to comply with PCI rules regarding storing financial information.  In the vast amount of security breaches hackers do not get access to this data because it is harder to access, but there are rare circumstances where this data has been stolen.
What can you do to protect yourself?
Ok, it is difficult to protect your data when it is being stored by someone else, but here a few things that can help you.

1.  When you sign up for a new web based service or login, ensure that the service uses HTTPS.  
2.  HTTPS shows that data transmitted between you and the website is encrypted.  This is will not protect your data which is stored on the server by itself, but it is a good indicator that the website is security conscious.

3.  If you need to reset your password to access an online service, ensure that they do not send your forgotten password in an email in plain text.  If the password can be sent to you in an email, it is being stored as plain text in the server database.

4.  Use different passwords for different services.  Ok this one is difficult because you will have lots and lots of passwords.  A compromise is to have tiers of passwords, so something simple for services which do not hold much information on you, but use something completely different for services which hold financial information on you.

5.  Protect your email password!!!! Ensure the password used to access your email is the most secure and is different to anything else.  If a hacker gets access to your email password, it is likely they can get access to any of your other online services by using automated password reset routines.

6.  Do not use passwords which are mentioned here!

7.  Use long passwords.  One technique is to use words connected together which are unrelated.

8.  If a service provides some kind of 2 factor authentication, try it out.  Gmail can send you an SMS code if you logon from a computer you haven’t logged onto before.  This means that if a hacker gets your password, they cannot login without physically having your phone.
If you would like to read more on the topic I recommend the following article.  This covers an analysis of data which was stolen from Sony and Gawker.
http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

****UPDATE****

9.  This is an extension of point 4 which is to get yourself a password manager.  This could be 1Password, LastPass or KeyPass.  These tools will help you maintain a separate password for each service and will allow you to limit the impact of a data breach without having to manually remember a different password for every service.