Monday 25 November 2013

Password Hints

OK let me preface this by saying this: I absolutely hate password hints and secret questions. Generally speaking anything you put in there can be found by friending someone on facebook, a quick google or simply guessing. They are the epitome of a bad idea, sure they have some use. If you forget your password the hint if constructed correctly could remind you and only you, however most people don't understand this.
If it is a secret question an answer, where the question is predefined such as mothers maiden name, it can take a few guesses (smith anyone), or a quick search and you will have it. Everything else is trivial, and this was how Sarah Palin's yahoo email account was humorously compromised back in 2008.

Forgetting all that, adobe gave us another insight as to why it is bad.

I know a lot has been said about adobe, including the excellent (although conservative number of users impacted) article by Brian Krebs here.

But there is something else that needs to be learnt from this breach.
Sure your password hint could be terrible but maybe the web application logs someones IP when they go to that for later alerting etc if a bad guy does compromise the account. But what if the DB gets walked, and all those juicy password hints or secret questions and answers are stored in plain text... then you have a problem even if you correctly store you passwords (which adobe didn't).

So lets say you do correctly store your password as a per-user salted sha1+ hash, good, but now you allow users to have a password hint like adobe. When someone has their password hint as their password in another language then they fail very quickly. For example (this is not a real entry, but made to look like one from the adobe breach);

78114563-|--||-BsscHGd8aIjiwxG2CaWrHSw==-|-Gato x3|--

If we forgive the obviously non-hashed password in the 4th column, we see in the last column the password hint is simply Gato x3, or you know maybe Cat typed out three times. So even if this entry had an irreversible hashed password, the hint would give it all away if the DB where accessed.
Maybe they should instead store their hint as a reversible encrypted string with an individual key for each user. This would mean the server when the user wants to use their password hint would look up the key from the internally accessible internal key server for the username and decrypt the hint. It would mean if the db is walked via an SQL injection or direct attack they aren't necessarily going to get the keys to decrypt the password hint. For a secret question and answer, you should salt and hash the answer and if you are using user defined questions you should encrypt those too just to reduce what is leaked...

Using an encrypted password with the same decryption key for all users or using an unsalted hash means that the resulting password string whether it is BsscHGd8aIjiwxG2CaWrHSw== or 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 will be the same across all users meaning if you break one you break them all. The same goes for your "password hint" or "secret question and answer", should people take my advice and start encrypting them.

Of course all of this only works if you care about security. If you aren't going to hash your passwords. Or worse store them in plain text as Cupid Media did, then you probably don't care about users password hints, and will probably store them in plain text.
Realistically no-one has any excuse now, google authenticator for two factor has been open sourced, OpenID, SAML can be used to authenticate you to a central store and then you are done, like UbuntuForums did, post their breach, move to UbuntuOne the openID provider. People like adobe should really switch to one of these, to reduce their authentication load. The users should be forced at these central providers to 2-factor auth. If you forget your password at one of these central providers then you have a convoluted way to retrieve it via out of band identification, via either partnership with a bank or other multi-vendor approach, eg go into these news agencies and show 100 points of ID to get your password reset.

My point I am trying to make is this, if it is used for authentication it should be encrypted, preferably and sufficiently strong hash (SHA1 or greater) that is salted. Nothing but the username and row ID of your authentication table should be plain text. It is only a matter of time before these passwords in the 10gb adobe database are broken and the key used to decrypt them is found, if it hasn't happened already.

Add these ~130million adobe accounts with the 42million from the Cupid Media and I think we should declare this month, change password November, I know the few sites that used the same password as my account on adobe have now all been changed, have yours? If you use the same password everywhere, then now is the time to look at keepass or lastpass to store your single use passwords in a manner that allows for your protection. Heck even Google's Chrome and Firefox have built in password managers with cloud sync and encryption, so there really is no excuse.

I am doing a CTF for some peeps, thought I'd put this here to be searchable.. these are the real sums of these phrases;
BC1A7086C334A3C3E2AC638DF4C82A58DEBC6CF2DAF05C4B1D17E9896BC69908:red herring
Or check it here; or on your bash shell with echo -n redherring | sha256sum

No comments:

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F