“Thinking
like a hacker means studying the tooling that hackers use, attending hacker
conferences such as DEFCON [and C-Days in Portugal], and practicing
hacking and exploitation in a lab environment.”
In “Think like a Hacker: A Sysadmin’s Guide to Cybersecurity” by
Michael J. Melone
What happens in
real life passwords-wise? (I know what I’m talking about; back in the day I was
in the trenches doing this for a living…)
The passwords
are usually stored in a database with the username, when you enter your
username and password one is checked vs another. Obviously if the database was
stored "in the clear" anyone who stole it or looked at it would know
your password. This can't work for anywhere where the user accounts must be
secure - even from employees, which is basically everywhere. So, what is done
is that the password is "hashed" which means that it is encoded using
a one-way conversion formula. If I have the formula and the password I can reproduce
the hash result, that's a match! I can open your account! That's what a website does when you enter the right password. But if you just have the hash
then if you give that to the website it will apply the formula and create a
different result and the system will say "no dice". So having the
hashes is no use to a hacker.
Unless the
hacker guesses the formula. And this is where the billions of attempts come in.
If an employee or hacker steals the list of hashes and usernames they will use
them to guess the formula. The bigger the list the more chances of a password
being repeated in it, if the hacker spies two hashes that are the same (or with
modern functions, hashes that are related with a regularity that clever math
can show) then that might mean that the passwords used to generate them are the
same, and if the said password is 12345678 then it's very likely Mr. hacker
will guess the formula required, and at that point off we go to the races. If
the hacker has the database on his own computer (and one can rent very big,
very fast computers now for very little $$$) many billions of guesses and tries
and tests on the hash function can be done every second.
Good web sites
do three things, firstly they "salt" their passwords with a random
string which is kept separately like
"733bi/fo@@h732=|$dGGGHHH&+~52-" which means that all passwords
have that added to them before hashing. Secondly, they use strong hash
functions like not SHA-1. The final thing that it is easy to do is to stop
users using any password in the top 5000 passwords lists, stop them using any
dictionary word and insist that the password contains numbers, capitals,
lowercases and symbols.
Unfortunately,
such is the sophistication of password cracking software these days that even a
long password is no guarantee of security and hardware is getting faster all
the time so just a long password is no cast iron guarantee of security. Use
very different passwords on online services and be careful about the links
between different apps; these days you can use your Facebook ID to login to a
range of different sites for example; if you do this consider the implications
of what could be accessed if say your Facebook ID is compromised and the data
that is shared between the 2 sites.
A password
manager is a good way to go for remembering all these different passwords some
of them will generate a random password of a specific length for you when you
set up a new account and they are available as apps on smartphones, however
choose a secure password to access it and ensure it is securely encrypted using
something like AES and be careful where it's stored, remember the
"Cloud" is just another computer hosted somewhere in the world, there
is no guarantee cloud storage is secure; if you back up to these services then
encrypt the backups (Companies like Apple offer this with just a check box and
password field as an option in your back up settings).
I am extremely
careful with LinkedIn these days, I once found all my information available
online (legitimately) because they had changed their privacy options and data
was open by default to certain LinkedIn partners who took it upon themselves to
publish my CV publicly (thanks for the spam to the email accounts I used at
that time guys!), they seem to have a very relaxed approach to privacy and
peoples profiles often appear in straight Google searches, CV's by their nature
tend to include a lot of personal information, and certainly a lot of contact
info.
Most hacking attempts do
not even use passwords; they exploit failings of the site's code itself.
Meanwhile the 'password complexity' argument is based on being able to submit
thousands of passwords a second to the same account. Any system which allows
that is a dumb piece of design. The sensible answer is that you should not use
a guessable password. The rest is basically a 'straw man' designed to shift
attention away from the real security failings of the software industry.
Passwords are
recognised as being extremely fallible and there is a big discussion going on
as to how to replace them, biometrics are equally insecure and you can't change
them if they are compromised, as for flaws in code allowing exploits, these
will always exist, even the best programmers make mistakes and the
sophistication of cracking tools is improving all the time. I view this as
being a bit like home security, you can add all the window locks, security
deadbolts and alarms that you like, it's never a guarantee that someone can't
break in, and in the case of on-line data where government funded agencies are involved
then all bets are off.
Personally, I
try not to put anything important on the internet, my plans for world
domination and my Mum's recipe for bread pudding I memorise, and keep in my
head, they can't hack that......yet! :)
Bottom-line:
Hackers don't try to guess passwords to get your account. They hack into the
system, steal the encrypted data and then, outside of its secure ecosystem it
is now vulnerable to brute force attacks. Once a reasonable number of passwords
has been hacked, this can be sold onto the highest bidder who will then harvest
your data. Often, they will use the same username-password combination on other
common websites such as PayPal and Amazon where they can make online purchases
or Facebook and Gmail/Hotmail where they will begin the process of identity
theft or look through old messages for even more important passwords or bank
account details. Remember that holiday you took with your mates and you instant
messages them your bank details so they could pay you for the flights? Yep,
that's still in your message box. So, change that Facebook password. Now!
