Your passwords are never really safe

There have been a lot of user credential leaks lately according to media.
Some of them involve whole user databases with all kinds of credentials, and some involve “only” credit card numbers and so on.
It usually depends what the attacker is after when he/she/they break into the servers of the targeted company.

The thing that people don’t always know about this is that there are passwords being leaked all the time from hundreds of websites without
us even knowing about it. Some really huge leaks will never see daylight because the people behind the site never detects the intrusion, and the people behind the attack wants to keep it to themselves. Personally I have a unique email for every account I create, so that if they give out my details to a third party or if someone breaks into their systems, I’ll know.

Fresh databases with user credentials are worth a lot to many people on the black market for several reasons.

  • The email addresses can be used for spam
  • The email and password combination can be tried against different services like Facebook or Twitter and used for a number of things (spam being one of them)
  • The passwords can be put into a wordlist and used for cracking other passwords in the future

There have been many cases where website owners haven’t encrypted or hashed the passwords of the users, which have made life a lot easier for the intruder who then steals and potentially leaks the information (actually a lot easier, since very long passwords are harder to crack by brute force as it takes an enormous amount of time). But of course, today in most cases we see that they use some sort of encryption or password hashing. And even though this is a very positive thing, it doesn’t always help that much. If your password is too short and the password has been hashed, then it is in most cases lost. If it has been encrypted then there might still be hope, but then the hope lies upon the safety of the encryption key. And if the intruder has gotten access to the database, then the key might not be safe either.

The thing about the mind of a hacker that people don’t think about, is that a determined hacker wont stop just because it’s complicated or a hassle. If it’s a “hard to exploit” vulnerability then it simply means that it’s all a matter of time. And if the hacker thinks it’s worth the trouble, then years can be spent breaking in if needed. It’s the same with these databases. You all probably know about the Adobe intrusion and how all the users information was leaked on the Internet. These passwords were encrypted, although in a way that makes them not unique which has the problem of one password in its encrypted state will look the same for all users with the same password. This database has as of this date (as far as we know), not been completely cracked as the encryption key has not been discovered. But I’m sure that someone somewhere is working on that. Some determined hacker wants to get their hands on the key. Computers are getting faster and faster, so it’s just a matter of time.

I would like to demonstrate the typical process of your password getting in the wrong hands.
I downloaded the published dump of the password list with over 1500000 password hashes from users of the site.
Then I loaded them all into a password cracker called oclHashCat, and within seconds this was the result.

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1) [6]
Hash.Target....: File (/home/cats/eharmony-hashes.txt)
Hash.Type......: MD5
Time.Started...: Wed Aug 13 21:42:11 2014 (4 secs)
Time.Estimated.: Wed Aug 13 22:50:22 2014 (1 hour, 7 mins)
Speed.GPU.#1...: 57925.6 kH/s
Speed.GPU.#2...: 62493.3 kH/s
Speed.GPU.#3...: 63531.4 kH/s
Speed.GPU.#4...: 42643.3 kH/s
Speed.GPU.#*...: 226.6 MH/s
Recovered......: 73454/1513805 (4.85%) Digests, 0/1 (0.00%) Salts
Progress.......: 738197504/735091890625 (0.10%)
Skipped........: 0/738197504 (0.00%)
Rejected.......: 0/738197504 (0.00%)
HWMon.GPU.#1...: 38% Util, 52c Temp, 43% Fan
HWMon.GPU.#2...: 36% Util, 48c Temp, 36% Fan
HWMon.GPU.#3...: 31% Util, 49c Temp, 45% Fan
HWMon.GPU.#4...: 33% Util, 47c Temp, 36% Fan

As you can see, 73454 passwords were recovered within 5 seconds. After 2 minutes the status is “388429/1513805 (25.66%)”. And this is by sheer brute force (I usually start with brute force when cracking MD5 since it’s so fast anyway). I haven’t even started to use my wordlists yet. By getting all these passwords in clear text I expand my database of wordlists with more user passwords that can be used in attacks later on. After about 1 hour I decided to stop the brute forcing process and try with a wordlist instead.

As you can see on this result there is one GPU less. This is because one graphics card broke during the brute forcing of the passwords. I have disconnected the damaged card for now until I can take a closer look later to see if it can still be used or not. Anyway as you can see, after only 5 minutes we have cracked 106794 passwords with the wordlist, leaving about 676732 still unsolved. Now, this list of passwords has already been cracked once my someone else, so I wont go for 100%.

Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: File (../dics/crackstation.txt)
Hash.Target....: File (/home/cats/eharmony-hashes.txt)
Hash.Type......: MD5
Time.Started...: Thu Aug 14 08:30:44 2014 (5 mins, 51 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 3204.3 kH/s
Speed.GPU.#2...: 2937.5 kH/s
Speed.GPU.#3...: 2942.3 kH/s
Speed.GPU.#*...: 9084.1 kH/s
Recovered......: 106794/783526 (13.63%) Digests, 0/1 (0.00%) Salts
Progress.......: 1167547735/1167547735 (100.00%)
Skipped........: 0/1167547735 (0.00%)
Rejected.......: 14082514/1167547735 (1.21%)
HWMon.GPU.#1...: 29% Util, 49c Temp, 40% Fan
HWMon.GPU.#2...: 64% Util, 48c Temp, 35% Fan
HWMon.GPU.#3...: 64% Util, 45c Temp, 37% Fan

So to summarize. Pick long and complex passwords, and preferably unique ones for every site you register at. Personally I try to make up rules in my head for my passwords, and then I make up phrases for them. “Ch1ldOfL1ght1s@Gre@tG@me” is an example of a good password. Length is better than complexity, but it’s even better if you can mix in both. Also, if a site gets hacked and you have an account there, don’t trust that they have encrypted or hashed your passwords correctly. If it’s an important password that you have used in several places then you should always assume the worst and change it as soon as possible.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.