Something I don't get about passwords stored in databases. And hacking them.

[Locut0s]

So as everyone knows by now Steam has been hacked and Valve has let everyone know that it's possible that a database with personal info, including CC numbers was stolen. They recommend everyone change their passwords, deauthorize all their computers and keep an eye on their CCs for now. They did say that the CC numbers at least were encrypted which is good news. From what I understand when Sony was hacked some months back they had everything stored as plain text At any rate every time you hear about a batabase being hacked you hear them tell you, reset your passwords. Does this mean that all these sites are storing your passwords as plain text? And if so why? I remember reading a very simply beginners book on building web applications and even at this basic level they gave an example of storing user passwords just as hashes. That is you hash the password and store that, not the actual password itself. And you validate against the hash.

For those who don't know a hash is a unique alphanumeric string that is generated from any other arbitrary alphanumeric string, like your password, via an algorithm. It's unique so that every unique string will map to another unique string and it's non reversible so you can't go back to the original from the hash.

Is this not the default being used for ALL stored passwords?

 

[mmntech]

All I know is cash is king and I'll be using prepaid cards to shop online from now on.

 

[Rage187]

Meh, PCI-DSS compliance forced everyone's hand and everyone should be encrypting everything now.

 

[xSauronx]

Is this not the default being used for ALL stored passwords?

the provider microsoft uses for offering free software to students stores account passwords in plaintext. i forgot mine a few months ago and though id get a reset email...they were kind enough to save me the trouble and just send me the password.

my student insurance company did the same, as well. its absurd.

 

[blinblue]

There are still a lot of places that store passwords as plain text, or at least in some decryptable manor, because the "forgot password" process will email you the your password in plain text. And unless I'm mistaken (which is perfectly likely as I am not an expert at such things) the password should not be able to be gotten from the hash even by the people in control of the database, which means that any place that can email your password is storing it insecurely

 

[Locut0s]

the provider microsoft uses for offering free software to students stores account passwords in plaintext. i forgot mine a few months ago and though id get a reset email...they were kind enough to save me the trouble and just send me the password.

my student insurance company did the same, as well. its absurd.

Yeah I've had some instances as well on other sites where I forgot my password and was able to get them to send it to me. WTF if your security is done correctly you aren't supposed to be able to send it to me!

 

[FoBoT]

you don't have to decrypt the password to use it

 

[Gibson486]

If it's encrypted, it can be decrypted. /thread.

 

[Locut0s]

There are still a lot of places that store passwords as plain text, or at least in some decryptable manor, because the "forgot password" process will email you the your password in plain text. And unless I'm mistaken (which is perfectly likely as I am not an expert at such things) the password should not be able to be gotten from the hash even by the people in control of the database, which means that any place that can email your password is storing it insecurely

Yeah if it's stored as a hash there is simply no physical way for them to get your password at all. You have to create a new one. However they COULD still be encrypting your password then decrypting it but I don't see why they ever would need to do this as they don't need your password itself at any time except as a form of validation, which the hash serves just fine.

 

[Locut0s]

If it's encrypted, it can be decrypted. /thread.

Not if they don't have the key. Any modern 128bit encryption scheme has so far shown to be uncrackable. Assuming you don't have the key of course. And brute force attacks would take thousands of years.

 

[Locut0s]

you don't have to decrypt the password to use it

That's the point using a hash for password validation. In fact a hash can't be decrytped even in principal.

 

[frostedflakes]

The passwords in the PSN breach were hashed weren't they?

Anyway, depending on the hashing algorithm(s) used, short and weaker passwords can still be brute forced relatively easily from what I understand. The idea behind hashing passes is to delay a hacker in the event of a database breach. All it does it buy your users some time to change their password after you detect the leak, it's not meant to make passwords impossible to crack. Very strong passwords (20 character random alphanumeric, something like that) can't really be brute forced with current hardware, but we all know that the vast majority of people use weak passwords that could probably be brute forced pretty quickly on a single $50 GPU.

 

[Sho'Nuff]

If it's encrypted, it can be decrypted. /thread.

But not that easily, if proper encyrption is used.

It would take a hell of a long time to decrypt an AES encrypted password without the appropriate key(s).

 

[Locut0s]

Meh, PCI-DSS compliance forced everyone's hand and everyone should be encrypting everything now.

I don't get WHY they don't encrypt everything an anything in their databases!? Sure forum databases of posts and user names can be kept as plain text but at this point why not encrypt EVERYTHING else? It's not like you sign in and out hundreds of times a minute or anything, the hardware requirements should be minimal. And doesn't just about every database API make encryption and decryption extremely simple to implement?

 

[Locut0s]

The passwords in the PSN breach were hashed weren't they?

Anyway, depending on the hashing algorithm(s) used, short and weaker passwords can still be brute forced relatively easily from what I understand. The idea behind hashing passes is to delay a hacker in the event of a database breach. All it does it buy your users some time to change their password after you detect the leak, it's not meant to make passwords impossible to crack. Very strong passwords (20 character random alphanumeric, something like that) can't really be brute forced with current hardware, but we all know that the vast majority of people use weak passwords that could probably be brute forced pretty quickly on a single $50 GPU.

My understanding was that everything was plain text in the PSN hack but I could be wrong. And yeah you're right I see why they still tell people to change their passwords even his they are hashed.

 

[lxskllr]

I think the idea is to crack the hash, and then use the password that corresponds to the hash. Rainbow tables, can speed the process up a bit.

 

[sciencewhiz]

A simple password that is hashed isn't safe because of rainbow tables. Passwords should be hashed with a salt.

The Valve announcement did say that the passwords were hashed and salted.

 

[Locut0s]

But not that easily, if proper encyrption is used.

It would take a hell of a long time to decrypt an AES encrypted password without the appropriate key(s).

149,745,258,842,898 years for 128bit AES at 2^56 attempts per second.

http://en.wikipedia.org/wiki/Brute-force_attack

 

[Jeff7]

Not if they don't have the key. Any modern 128bit encryption scheme has so far shown to be uncrackable. Assuming you don't have the key of course. And brute force attacks would take thousands of years.

Unless you have a bank of PS3s doing the processing.

Or maybe you get really really really lucky and get it right on the first try.

 

[The Boston Dangler]

A simple password that is hashed isn't safe because of rainbow tables. Passwords should be hashed with a salt.

The Valve announcement did say that the passwords were hashed and salted.

sounds delicious, with eggs, toast and freshly ground pepper.

 

[Locut0s]

I think any form of encryption would make the practicality of using any stolen database not worth the cost. Assuming it wasn't military intelligence or something. I could be wrong but I'm not sure there is a single case of actual true encryption being broken and then having said data sold off and used. The vast majority of, all?, cases where personal info has been accessed and used has exploited stupidity. Databases being left completely open, firewalls turned off, jilted lovers giving away passwords, employees being tricked into installing keyloggers, the list goes on. There are so many ways around good security that it's probably not in the hackers interest to even try breaking any encryption if they haven't managed to trick someone into giving them the key or just the raw unencypted data. So even if it's technically possible to brute force some of these things I don't think many would bother trying. Why take the time when your next target will just give you all the info in a txt file.

 

[Gooberlx2]

At any rate every time you hear about a batabase being hacked you hear them tell you, reset your passwords. Does this mean that all these sites are storing your passwords as plain text?

Some store as plain text, but even sites using good practices will recommend it. That's just them covering their rears just in case, and you use the same password for every site you visit.

 

[Aluvus]

I could be wrong but I'm not sure there is a single case of actual true encryption being broken and then having said data sold off and used.

When Gawker was hacked, it was revealed that they were using the ancient DES standard, which was broken over a decade ago. Passwords were cracked and some Twitter accounts (where users had reused their Gawker password) were apparently hijacked by spammers. Not exactly the crime of the century.

But yes, if they had used competent encryption it would not have been such an issue.

 

[Locut0s]

When Gawker was hacked, it was revealed that they were using the ancient DES standard, which was broken over a decade ago. Passwords were cracked and some Twitter accounts (where users had reused their Gawker password) were apparently hijacked by spammers. Not exactly the crime of the century.

But yes, if they had used competent encryption it would not have been such an issue.

Huh thanks for the info guess I was wrong. Didn't think anyone would be using that anymore.

 

[manlymatt83]

Encryption/Decryption has a ton of overhead - so encrypting "everything" isn't always the best idea. I've worked on authentication databases getting thousands of queries per second. The standard is a seeded hash. But it's only meant to temporarily slow an attacker down.