Last week was a terrible week for password breaches. First LinkedIn revealed that ~6.5 million password hashes were posted online. Hot on the heels came the news that online dating website eHarmony and streaming music site Last.fm have suffered similar breaches.
Are these breaches a surprise? No, not really. Websites entice customers by offering compelling features and services, and customers are rarely willing or able to compare the security properties of competing services. Even if a website uses SSL to protect a password in transit, the password will typically be exposed on web servers and datacentre networks every time it is supplied by the user before it is hashed for comparison.
Attackers often merely need to compromise an edge-of-network web server with some malware to steal every password as it is provided or to steal password hashes. Attackers may target what they perceive to be lower security social media services in the knowledge the same password may grant access to higher value services such as retail or banking. Banks have known this for a long time; this is why they prompt for random characters rather than the whole password and rely on a wide range of security questions or one time pad (OTP) tokens.
It gets worse. ‘Hashing’ a password means obscuring the original plaintext into a format that cannot be easily read. It’s intended to be a one way process which is very useful for storing passwords. Instead of storing a user’s actual password, you can simply store the hash and use this to check whether someone has logged on with the correct details. Some websites originally used the legacy MD5 hashing algorithm to protect passwords. However advances in cryptanalysis and computing power often make it necessary to move to newer, stronger algorithms. Many have considered MD5 to be compromised for around a decade but not all websites have upgraded to SHA-1 yet.
Even using a stronger algorithm alone is not enough. ‘Salting’ is the process of adding an additional layer of security by hashing the password with some additional random data to ensure the hash is unique and harder to crack. Unfortunately some of the breached services (and doubtless many others), haven’t employed this technique.
Websites may attempt to upgrade the security of weakly hashed passwords by storing a freshly hashed password when each user logs in. While this is good practice, special care is still required to ensure that any copies of the weakly hashed password are securely erased.
Techniques to improve security can include:
Prompt users for parts of their password rather than then entire phrase.
Better still, minimise the reliance and exposure of passwords through the use of techniques such as two factor authentication, certificate based authentication or OAuth with associated strong cryptography.
Deploy a dedicated authentication service to ensure passwords and their hashed representations are exposed in the minimum number of locations and can be securely erased when they’re longer required.
Encrypt hashes using techniques like transparent database encryption with HSM-based key management to prevent their hash theft and to simplify the secure destruction of old hashes.
Replace any legacy hashes with randomly salted SHA-1 or SHA-2 representations at next user logon. Better still, use a key stretching technique to reduce the rate that an attacker can test for dictionary passwords.
As we move towards smartphones and tablets where Apps are able to store credentials on behalf of users, we are finding that we all use our passwords less: perhaps only to authorise higher values transactions or to enrol new devices. However, in a world where the relationship between customers and service providers is increasingly spontaneous passwords will remain a convenient catch-all credential until identity federation becomes ubiquitous. It’s time for all of us to think much more carefully about how we protect both our own passwords and those of others we serve.