Monday, June 2, 2014

Passwords - At it again?

The recent eBay hack got me thinking about passwords, for about the 5th time this year. After Heartbleed, I did a bit of an audit on the passwords I was using, and I hope you did too. I then moved house, and had to change a bunch of address details, and in the process, I found a few more places I had passwords set up that I didn't know I had. One of these places emailed me a reminder with the password in plain text. This means they are storing my password, on their server, in the clear. I'm not mean enough to name names, and indeed I have offered to help them fix it, and given a few pointers - I'm nice like that, you see!

There's a moral to this tale, however. I should be concerned that Company X's servers may be compromised, and my password released, because they stored it badly. If that was the case, I would want to change my password as soon as I heard of the breach, as an attacker would immediately be able to access my account. My best defence would probably be that my name's likely to be right in the middle of the list, and any attacker is probably working his way past Archibald Atkins up there at the top of the user list - I hope I can get to reset my creds before the bad guys get to "N"!

However, I hope that eBay are smarter (not that there's any direct evidence that this is the case: they've been a bit evasive on how they stored our passwords). Despite this, I immediately changed my eBay password too. Why? because even a hashed password is cracked fairly easily these days, and that crack is getting easier every day.

Given a 6 character password (still accepted by many sites), hashed with MD5, it is possible to check every possible password in less than a minute on standard hardware.

So: sites are still storing passwords plaintext. For a while, MD5 was the go-to hash function. How many people do you think are still using that? SHA-1? Not much better apparently. Salt-per-password - better odds, but not unbeatable. While there's so much that a site could do "wrong" that would mean your password is brute forced in no time, there's a bunch you could do wrong too, like picking a dictionary word, or something nice and short. Be aware that the bad guys are finding ways to crack passwords orders of magnitude faster, such as using CUDA/GL setups.

What can we do to protect ourselves against the disparity between the ability of wrong 'uns to crack passwords, and the slow uptake of more secure hashing?

You can never ever re-use a password. I am pretty sure I still am - probably on accounts I should have closed years ago, but tidying up your passwords is worse than changing your postal address! It's really difficult. You will need a password manager. I chose Lastpass personally, some of my colleagues use passwordsafe and keep the file in dropbox - pick the one that's right for you.

A password manager is essential to keep up with the large number of passwords you will need - however, I would advocate keeping your key passwords out of any manager - eggs, basket, and all that. So email, financial services, that sort of thing, probably should stay in your head!

Finally, any sites which offer 2 factor authentication, please do take them up on the offer. That way you're less likely to suffer a breach while the organisation decides on the best way to tell you your password has gone walkies.

TL;DR - three things you need to remember about your passwords:

  • Two factor Where You can
  • Password Manager for the Many
  • Remember the Few

No comments:

Post a Comment