John Wilander
2010-12-22 23:35:13 UTC
Hi WebAppSec!
The Gawker hack and cracking of password hashes got me thinking
(http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump).
Today several of the premium services on the web such as Amazon and
Apple require a minimum of 6 characters in customers' passwords. I'm
not sure if they check against wordlists before accepting a new
password, but still, 6 characters allow for brute forcing.
So how do these service providers protect the passwords? Salted hashes
I presume but no matter what hash algorithm or salt length is used –
it's still just 6 characters to brute force.
Let's say Amazon or Apple gets hacked and all users' password hashes
downloaded. We can also assume the malicious hackers get the source
code and config files so they know how the password protection works.
A couple of scenarios:
· Unsalted hashes, MD5 or SHA1. Rainbow tables already available. Toast.
· Unsalted hashes, SHA256, SHA512 or the like. Rainbow tables still
not feasible for these? Easier to brute force six character passwords?
Guess so.
· One salt for all passwords, MD5 or SHA1. Quicker to build a custom
rainbow table based on the known salt or quicker to brute forcing each
password?
· One salt for all passwords, SHA256, SHA512 or the like. Probably not
a rainbow table since it has to be built after the hack. Brute forcing
of the passwords.
· One salt per password, stored alongside the passwords in the DB +
any decent hash algorithm. Rainbow tables not usable so it's brute
forcing time.
If I'm not mistaken in the list above, dictionary and brute forcing
will be the weapon of choice as long as we're not facing a static salt
or plain hashing, huh?
That brings us back to the minimum number of characters. Six
characters is not a lot, and the length of the salt or size of hashes
will not have a noticeable impact on cracking time.
So, is adaptive hashing/multiple hashing the only way to protect short
passwords? Are we confident in that Amazon, Apple etc are using such
techniques? Do they have migration plans? Say SHA1 x 1,000 right now
and migration to SHA1 x 10,000 in 2011. If done right such hash
strengthening should not have to involve the real password. Just
rehash the current hash another 9,000 times.
Would love to hear your thoughts and insights on this.
... and Merry Christmas!
/John
--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
The Gawker hack and cracking of password hashes got me thinking
(http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump).
Today several of the premium services on the web such as Amazon and
Apple require a minimum of 6 characters in customers' passwords. I'm
not sure if they check against wordlists before accepting a new
password, but still, 6 characters allow for brute forcing.
So how do these service providers protect the passwords? Salted hashes
I presume but no matter what hash algorithm or salt length is used –
it's still just 6 characters to brute force.
Let's say Amazon or Apple gets hacked and all users' password hashes
downloaded. We can also assume the malicious hackers get the source
code and config files so they know how the password protection works.
A couple of scenarios:
· Unsalted hashes, MD5 or SHA1. Rainbow tables already available. Toast.
· Unsalted hashes, SHA256, SHA512 or the like. Rainbow tables still
not feasible for these? Easier to brute force six character passwords?
Guess so.
· One salt for all passwords, MD5 or SHA1. Quicker to build a custom
rainbow table based on the known salt or quicker to brute forcing each
password?
· One salt for all passwords, SHA256, SHA512 or the like. Probably not
a rainbow table since it has to be built after the hack. Brute forcing
of the passwords.
· One salt per password, stored alongside the passwords in the DB +
any decent hash algorithm. Rainbow tables not usable so it's brute
forcing time.
If I'm not mistaken in the list above, dictionary and brute forcing
will be the weapon of choice as long as we're not facing a static salt
or plain hashing, huh?
That brings us back to the minimum number of characters. Six
characters is not a lot, and the length of the salt or size of hashes
will not have a noticeable impact on cracking time.
So, is adaptive hashing/multiple hashing the only way to protect short
passwords? Are we confident in that Amazon, Apple etc are using such
techniques? Do they have migration plans? Say SHA1 x 1,000 right now
and migration to SHA1 x 10,000 in 2011. If done right such hash
strengthening should not have to involve the real password. Just
rehash the current hash another 9,000 times.
Would love to hear your thoughts and insights on this.
... and Merry Christmas!
/John
--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------