Secure Passwords: A Cautionary Tale

password security illustration

I am hesitant to bring up the Ashley Madison mess, but someone has to – site security was even worse than we thought. The Impact Team hackers hacked into the “dating” site’s servers and stole millions of user records, including hashed passwords. They published many of the records along with the passwords.

It turns out that password hashing was weak and easily broken by a team calling themselves CynoSure Prime. Of 32 million subscribers, 15 million had their passwords hacked within a day. Although the cracking team did not publish the plain text passwords, they did enough how-to information for others to crack the password list. The CynoSure blog assured us that “A package has been sent out to the press containing all the statistical analysis and data derived from the cracked passwords.”

In the case of Ashley Madison, public sympathy was not exactly with the victims. But the same thing can and has happened to banks, hospitals, veterans, and Target shoppers — ultimately to you and me.

And it is all avoidable.

The Role of Passwords

An opportunity to crack passwords happens when a hacker breaches a website or network and downloads password lists. If the passwords are protected by a strong combination of hashing technologies then hackers are not likely to crack the list without supercomputing clusters and few years to spend.

But when security is lax, such as MD5 hashing, then there are a plethora of downloadable cracking programs that will run systematic cycles on hashed passwords. Many of them will be all too successful.

At first glance, Ashley Madison’s IT staff seemed to do it right. They secured millions of passwords with a strong hashing technology called bcrypt. Unfortunately, they used the much weaker MD5 hashing algorithm to 15 million of those passwords. Far from making bcrypt more secure, the MD5 additions compromised that security and let the CynoSure Prime team break millions of passwords in a matter of days, not months or years. As of Aug. 31, 2015, the team claims to have broken over 11 million, with a mere 4 million or so to go.

And why did the Ashley Madison programmers use MD5 on an 11 million-strong subset of passwords? And if they realized their mistake, why didn’t they fix such a potentially catastrophic error?

Who knows? They are certainly not talking.

And they are not the only ones.

In 2012, 6.5 million LinkedIn passwords were breached. IT had used the SHA-1 hash, a weak mechanism without additional security steps. A Russian site published the cracked passwords in plain text format.

Best Practices for Protecting Passwords

Ideally password security will be important to two groups: end-users and IT charged with securing the network.

In the famous Sony hack, some of the stolen data stolen were simple passwords that were easy to crack because the employees rarely bothered to change them.

Insist — even better, automate — strong user passwords. There is not much you can do if your users insist on using weak passwords on their banking sites, but you can insist they use strong passwords on work sites and change them frequently. Of course, you can insist until you are blue in the face and realize that instead you should be using master password generators. These are not perfect – Last Pass was hacked last June. (Last Pass used encryption instead of hashing and their encryption key was not hacked.) Fortunately, their encrypted passwords seemed to have survived the theft; they never resurfaced.

On the corporate security side, even very smart people will take big risks with password hashing. Whether you are the security administrator or you are employing one, take advantages of strong security mechanisms available to you:

  • Better hashing. The MD5 hash function that betrayed AM passwords was built for fast performance. Sadly, because basic MD5 is simple to crack that password story had a bad ending.
  • Build in iterations. Although most passwords can be cracked given sufficient time, few password crackers will wait a year or more to do it. One way to retard the cracking process is to build in iterative hashing. With iterations, brute-force password cracking software is painfully slow as it has to have to repeat every iteration.
  • Salting. There are other password cracking methods like table lookup that will break iterated hashes in a reasonable amount of time. This is why salting is another important security feature. Salting works by automatically adding multiple characters to a user password before the password is hashed. Even if a website or server database has had many identical weak passwords, salting makes them considerably harder to crack.
  • Make passwords longer. Interestingly enough, long passwords will even defeat the fastest computers used in a brute-force attack. The longer the password, the greater the complexity and the longer it will take to crack them.

None of these practices are extremely effective by themselves as each of them protects against a different type of password cracking process. But used in combination, they are very effective indeed.