Had an email today from the admins at the Ubuntu forum saying they've been hacked, and the hackers have managed to get hold of not just usernames and email addresses, but passwords, even though these are in encrypted hash format. The attack was so bad, the forum is offline and a splash page in place while the forum is rebuilt. How did hackers manage to hack passwords if they are stored as 'salted hashes'?
Dictionary attack to generate the hash, you work forward by guesses made until you get a matching hash, with salt you have to do this for each individual password one at a time you can't crack thousands all at once but it will still succumb to a brute force attack in the end. The salt is usually stored in the same table as the hashed passwords.
The Consumer Action Group forum was hacked a few weeks ago. They certainly got hold of email addresses (I use a unique email address for each forum) But my repeated questions to the forum owners whether username/passwords were also hacked went unanswered, though they did usefully (to a hacker) publicly state on the forum what hash method they use and the number of iterations!
Big sites always get hacked, sad fact of modern internet life.. If I noticed a brute force attack on here I would shut the site down, but these people usually strike at times of no or little traffic. That said, there would be little to gain from hacking a smaller forum when the likes of CAG use the same software but yield far greater results..
Many forums only get to know of any hacks when users such as myself, who have unique e-mail addresses on every website, point out the problem to them. Even then, they often find no trace of any hack, merely relying on the number of users with unique passwords who say their e-mail has been leaked. On smaller websites there maybe no-one using unique e-mail addresses, so the hack may never be determined or even suspected. A simple method of hack detection is for site admins to register on their own website as standard users with unique e-mail addresses from a number of email providers. That way, you will get to know pretty quickly when your site has been hacked! I guess there can be security problems with vBulletin as well as with site admins failing to employ proper security measures. For larger sites there is the potential for rogue employees as well. CAG blamed one hack a few years back on a former employee. But legal action was commenced by the former employee and the forum owner had to publish an announcement on his own website, with a full retraction and apology. I think CAG and MSE have both been hacked at least twice each. MSE being the biggest forum in the UK, so the rewards can be pretty rich.
Unless you have access to the source code Howerd, it's not that easy to intercept passwords, the user id and password should be streamed down the wire under SSL, so the only time they are available un-encrypted is in the server side web code and just for an instant, the username is used to look up the account record and then the password should have the hashing algorithm and salt applied to generate the hash from the password, if the in memory hash is equal to the hash value in the database then the user is validated, the password ideally should never be stored in a standard string variable after its transport over the wire, it should be stored into a SecureString which can be disposed of fairly well, however nothing is absolutely secure and an attacker who has access to the web server computer essentially can do just about anything.
I don't know about vBulletin which powers this site and Ubuntu's forum, but others such as IPB, SMF and Wedge all hash the password on the users' machines and their browser only sends the username and the hash of the password to the server. Although that is safer than transmitting the password in 'plain text' and have the server check it, it merely delays the inevitable - by possibly no more than a microsecond. There's a very interesting article, dating back to April 2011, which explains how the powerful GPU on a graphics card can be harnessed to carry out parallel processing tasks such as password cracking. For example, using a Radeon 5770-based graphics adaptor, a 5 character password, comprising upper and lower case characters, can be cracked in less than one second - at a rate of 2,492,830,280 passwords per second; by comparison a program using the CPU took about 24 seconds (9.8 million passwords per second). However it would take about 7 years for the same GPU to crack a 9 character password, made up with a mix of upper and lower case letters, numerals and symbols, for example H<k7$6fVJ. Newer graphics cards will be even faster. The above link does link to two perfectly legal programs, written by different authors, and using the methodology contained in the article, you can check your own password's effectiveness.
Makes almost no difference hashing it on the client side a network sniffer will still be able to see the hash of the password which could still be used to gain illegal entry to a site, the point here is that with end to end SSL there is no plain text until you arrive further up the TCP stack on the web server, I know for fact that Microsoft's default Membership API in ASP.Net and MVC4 ASP.Net has clear username and passwords server side as I output them to the debug console in my code, exactly what one should not do as one might forget to switch off the debug option Back in 1997 I ran a password cracker on a Windows NT4 server, in the space of about 2 seconds I had all the passwords on that machine, at least Novel's Netware was a lot harder to crack back then
It is worrying when a specialist computing forum is hacked as one would assume they take precautions that less savvy sites may not, in order to protect their data Since I started using unique email addresses on websites, I have identified three websites that I use that have been hacked: Money Saving Expert, Consumer Action Group and Global Test Market. I am now getting those Viagra emails to my Global Test Market email address. By using unique alias email addresses on each website you register on, a hacker cannot hack your email account or any other account you have on another website as he does not know what the true email address is in order to log in. You can also make it harder for the hacker by ensuring your passwords are unique and two-factor authentication is switched on (where available) A recent article showed that once a database of 16,000+ hashed passwords have been obtained, up to 90% of passwords can be cracked within one hour, including: qeadzcwrsfxv1331. When I run qeadzcwrsfxv1331 through checkers determine if it is a strong password they all say it is very strong and https://howsecureismypassword.net/ says it would take 63 million years to crack on a PC! But this password and thousands of others were determined within one hour from the hashed password and salt... http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ And I am pretty sure it does not take 63 million man-years to hack a website like MSE, that contains millions of usernames/passwords/email addresses! I still think client-side hashing is important as it ensures your real password is never transmitted. Site certificates can be spoofed these days and if your connection is intercepted by someone using a fake certificate, they will have your real password too, and we all know that most people use the same password on many sites. Another important feature of hashing is the number of iterations your password is put through the hashing algorithm. CAG only hashes passwords twice using the less secure MD5 algorithm. (I think this is server side only) But a website like Lastpass uses thousands of iterations server side and the default iterations on the client side is 5,000 (but this can be increased by the user as desired) The more iterations the more time consuming it is to derive the password from the hash/salt. Lastpass also uses the more secure SHA256 algorithm rather than MD5. Lastpass also uses SSL EV certificates which apparently cannot be spoofed (at least not in Chrome and Firefox) - just look out for the long name of the website highlighted in green in the URL bar. That means you can be sure that your connection has not been intercepted by an MITM attack with a fake certificate. Other websites that use SSL EV certificates include Paypal,Twitter and probably all banking websites.
Most developers are just ordinary guys, they work 9 till 5 and try to do their best but all program code written by humans is vulnerable as we all make mistakes no matter how good we think we are. The example you quote in the link did not use salted passwords see this quote And the other point is that this exercise only works if you have already captured a data file of some kind containing the user data, you simply can't do this kind of cleverly engineered brute force attack against internet facing systems as the time involved is massive, it only works when the data is local to the system that is being used to crack it, in other words after you have penetrated a company's external security systems or compromised their security from within. Most commonly this kind of data is leaked accidentally, for example discarded hard drives that have not been cleansed, in the old days discarded floppies and of course the external consultant who lacks any ethics and steals the files just for the hell of it after obtaining legitimate access to a company's systems. I only have two systems that I trust implicitly, one is online and the other is Truecrypt, I won't go over the Truecrypt discussions again as I only use it to conceal my intellectual property it is more than adequate for that job and if a Truecrypt encrypted device of mine fell into the hands of a hacker they would not have any hashes to use to start the guessing, saying that my passwords might still succumb to modified dictionary attacks but it would take a while. The online system that I referred to and that I use can't be broken in any reasonable timescale, it takes over a second for a single attempt and the server end does not have any hashes or any way to reverse engineer my data should I forget my password, the source code for this is also open source the protection does not rely on any tricks. The only downer is that it's not cheap for the amount of storage I have but I would never get rid of it, nothing else comes even close.
Well, I have around 100 websites I log into. That means around 100 unique passwords and many of those could probably be hacked should the corresponding website get hacked. Eight character passwords may well be strong enough against an internet-facing attack on my account, but if a website is compromised and hashed passwords stolen, eight characters is simply not enough. Passwords really need to include random upper case, lower case and digits. Not all sites accept special characters of course and what special characters they may accept can differ between websites. I had a problem logging into Halifax a few years ago when it updated the website. It turned out that spaces were not allowable in passwords even though they had been previously. Result - I was locked out of my account during a two-week Russian holiday! So, I won't be using any special characters in passwords. Some sites will also limit the length of passwords to as little as 10 characters and that is probably not enough. I reckon I will now use 15 random characters where that is possible. But how to remember 100 unique 15 character passwords without saving them anywhere? One solution may be this... https://play.google.com/store/apps/details?id=info.staticfree.SuperGenPass It allows you to reproducibly generate passwords for a given website on the fly from a master password, web address and a salt of up to 4096 bits. Running on an Android phone with no internet connection, means it is not prone to hacking. But logging-in will certainly be rather time-consuming as there would be a lot of typing on both the phone and the computer. I had even wondered if it was worth always logging-in to websites using the password reset feature each time? But that could be fraught with dangers with an MITM attack between the website and email account.
The forum is back online now, but what's interesting is they've moved everyone over to the Ubuntu SSO (Single Sign On) to log into the site, which I think is a good idea as it separates passwords from the main forum database. The one thing I've found with this episode when I've had to change passwords for other forums in light of the attack on Ubuntu Forums is thinking of new passwords. I've started using obscure place names from all over the world along with capitals/random numbers to make a password more difficult to guess and that don't seem to follow any pattern - example HengFaCheun in Hong Kong or RdumTalMahruq in Malta.
No doubt, the fact that you have published those passwords here could mean that web-bots will pick them up and include them in databases of known passwords and also in rainbow tables. So you could be stymied if you have really used those passwords on sites that are subsequently hacked and password hashes are stolen But even without a web-bot harvesting your passwords from here, I suspect that such passwords could be easily broken anyway, given the corresponding hashes (hacked from a website) and using password cracking tools, such as JOHN THE RIPPER or HASHCAT, and a suitable dictionary. Each of your three examples can be split into known words/names at the very point where you have capital letters... Rdum Tal Mahruq Hen Fa Chen You may not be as safe as you think!
Nope, they haven't been used, I don't think I'd be daft enough to do something like that! Anyway, if web-bots do want to have a go with those 2 examples, good luck, they are not gonna get very far as they don't exist in any of my logins, and apart from that I did say I include numbers as well.
