*
programming and human factors
by Jeff Atwood
*
In my previous post I Just Logged In As You, I disclosed that someone was logging in as me -- specifically because they discovered my password. But how?
If I wanted to discover someone's password, I can think of a few ways:
So which of these methods did this person use to obtain my password? None of them.
It wasn't a guess and it wasn't brute force.I guess I can tell you, so you don't fall into this trap again. There's a site I help out with that doesn't salt their passwords. They're MD5 encrypted, but if you've got a dictionary password, it's very easy to use a reverse-MD5 site to get the original. I was able to figure out you were a user on the site some time back, and realized I could do this, if only I knew your openid provider...
(As an aside, I complained to the head of the site months ago that he ought to start salting passwords for this exact reason. I also run my passwords I need to be secure through a few reverse-hash websites, just to ensure that it's not stored somewhere.)
So, the unethical part was actually looking up this information in the first place. I apologize. But like I said, better than someone else getting into this data.
Hey, it looks like you're storing passwords incorrectly!
We have met the enemy, and he is.. programmers just like us. Seriously, go read that blog entry. It is exactly, exactly what just happened to me.
When I say programmers like us, I mean me, too. I acknowledge that I am also at fault here, for...
All of this is true, and I shoulder the blame for that. Perhaps I should take my own advice. A moment of weakness, I suppose.
The important thing to take away from this, if you're a programmer working on an application that stores user credentials, is to get the hell out of the business of storing user credentials! As we've seen today, the world is full of stupid users like me who do incredibly stupid things. Are you equipped and willing do everything necessary to protect idiots like me from myself? That's a key part of the promise of OpenID, and one of the reasons we chose it as the authentication system for Stack Overflow. As one commenter noted on Reddit:
I, for one, think that my OpenID provider is more secure than the average guy running a forum.
Exactly. We outsourced our user credential system to people who are much better at it than us (well, depending on which OpenID provider you pick). And also because we didn't think the world needed yet another username and password. You're welcome. I think.
So, what have we learned?
GOTO 1
(Oh, and credit to Malte, the first commenter to correctly identify what the likely password vulnerability was -- less than an hour after the entry was posted!)
Ok, I think i've finally heard enough, and tried it enough to agree that openid is the right thing to do.
ian on May 6, 2009 2:03 AMKnowing the salt and having the hash lets you do a dictionary attack on your own machine(s), so you don't need to use a MD5 database.
Trying to maintain unique passwords for each and every site is a real pain. Even the best methods are dependent on a master password, which comes with its own problems, not the least of which is that you can lock yourself out of everything.
The faster some kind of biometric scanner comes equipped by default on every network-capable device, the better.
Sal on May 6, 2009 2:40 AMI am going to go ahead and guess your password was: wumpus
Paolo on May 6, 2009 3:06 AMCould someone please explain to be -- simply but very exactly -- how a salted password would help?
From what I know, you store the salt in plaintext(-equivalent) form to concatenate the password with in order to protect against rainbow table attacks. A dictionary attack against a single password, which this was, is not harder with a salted password.
Jonas on May 6, 2009 3:24 AMI cannot stand people who say Hahaha I hacked you because your password is too weak which by the way has never happened. In my opinion it's the laziest hacking I can imagine; using rainbow tables? Even lazier. Come on, get real, come up with a new exploit or something that allowed you to find the password.
But what makes me even more bleh is the actual guy in this case: oh you signed up with a password on a site I used to work for. HAHA, that's probably the most unethical thing I've ever heard of, calling yourself ethical is anything but... That is called phishing, plain and simple; go look it up. It's so sad though, I'm so sad that people don't even try to find new exploits and just use a client side phishing attack or some stupid thing like that.
Anyway, have fun with your hopes of being someone who matters. Clearly the only thing you've done is hoped that Jeff would hire you in security; my advice, don't bother you can find this kind of experience in any 2-bit network security firm.
Suroot on May 6, 2009 3:34 AMIf my OpenID password gets owned, then I'm owned on several sites.
How is that any different than your email password getting owned? Then you're owned on EVERY site, courtesy of reset my password via email links.
1. Generate the MD5sum of your password (e.g. http://www.md5generator.com/ )
2. Google it
Yep, excellent advice.
How is an idiot supposed to work out which are the secure providers?
See above email comment. You use email, yes? Better hope they do passwords right!
most of the internet backed up 37 Signals when it came out they weren't storing salts with their passwords.
Ooh, that's really bad. I hadn't seen that.
http://www.jgc.org/blog/2009/05/can-you-trust-37signals-with-your.html
this is nothing. i once signed up for an online dating site my friend recommended.
it was piece of crap. design painful to the eye. horrible user interaction.
but something happened the next day that scared the shit out of me. I GOT MY PASSWORD EMAILED TO ME.
i deleted my account the next day. but i have a feeling that the password i used for social networking websites and news aggregation sites is still on their machine, waiting for someone to harvest it along with password of all the other users.
empraptor on May 6, 2009 4:17 AMHow is that any different than your email password getting owned? Then you're owned on EVERY site, courtesy of reset my password via email links
Indeed, providing the hacker knows EVERY site you visit. Do OpenID providers not allow you to rest passwords via email?
Steve W on May 6, 2009 4:33 AMi should mention too that passwords are apparently emailed to users of that dating site on a regular basis, maybe everyday.
i tried to email the guy who developed/maintain the site. didn't hear from him.
empraptor on May 6, 2009 4:38 AMErm... one prolonged and interwoven set of weak moments, than.
Since we are all frank and honest on the subject of broken security here... when will these oranges be uprooted and cease being pine-apples in disguise?
This orange thing has been more than the required moment of weakness now. And in case anyone (Jeff?) still wanted to retort: Well I don't see any spam I'd like to repeat: this site is *for the users* not *against the spammers*.
Right now, the real users are paying the cost to provide *no protection* against the *absent* spammers.
---
I forgot to enter the correct word again. Maybe the word is not correct anymore?
@Matt (and WhaleDawg)
I do something similar to what Whaledawg does.
Google mail = gmailyaba6319
Yahoo = yahooyaba6319
Stack Overflow = soyaba6319
It isn't perfect but it is a heck of a lot better than using the
same password everywhere.
orly? If I admin'd gmail and saw that your password was gmailyaba6319 and that you also had a yahoo email address, I know which password I would be trying first.
@WhaleDawg
While your version may be slightly more obfuscated, applying any pattern to your passwords is weakening them. And since you admit to using KeePass and rarely entering them by hand, you could just as easily be using something random and strong.
dude on May 6, 2009 5:23 AMOh, and for those who claim my password was a dictionary word, and thus this is a de-facto dictionary attack. Well, I just went to
http://www.merriam-webster.com/dictionary/
.. and entered my old password there:
The word you've entered isn't in the dictionary. Click on a spelling suggestion below or try again using the search bar above.
Like I said, it *ain't a dictionary word!* It might be in cracking tables somewhere, but it isn't a dictionary word, at least not of the type you can use in Scrabble without getting challenged..
Jeff Atwood on May 6, 2009 6:56 AMIs it worth revealing the open id provider?
Doug T on May 6, 2009 7:08 AMWill this user come forward to claim the Stack Overflow Hacker badge? I don't see any wrongdoing against SO or you, since they were nice enough to point out the vulnerability and demonstrate it. You also got two good blog posts out of it. I could imagine the owner of the other site (the one the hacker helps out at, that doesn't salt their passwords) might be a little upset if (when?) word gets out that they were hacked by a trusted volunteer, but it sounds like they were warned about using salt awhile back.
Bill the Lizard on May 6, 2009 7:11 AMThis was a good read!
Saj on May 6, 2009 7:17 AMyou should award hacker badge now... because next time next person might not rather tell you :-)
luboa on May 6, 2009 7:17 AMjeez Jeff arent you a bit afraid now, its official, you have a stalker.
Neil Naidoo on May 6, 2009 7:18 AMIs using OpenID, or Windows Cardspace for another example, beyond most users tolerance or attention span? How can we get easier?
JamesR on May 6, 2009 7:20 AMI always salt AND pepper my passwords. :P
John W on May 6, 2009 7:25 AMThis is why I do password mixing. I have a seed word I use, lets say 'Burp'. Then I choose a word for each login that makes sense, in the case of say my yahoo account 'Mail'. Then I have a 4 digit pin of, say, '5621'.
My yahoo mail password would be 'BM5ua6ri2pl1'. And if that seems really difficult to type it is, but I use KeePass portable. It's a passord database that fits on a thumb drive and runs anywhere, so I hardly ever have to enter it myself.
Whaledawg on May 6, 2009 7:27 AMI work with security software. Occasionally, I get an inside peek at how some our customers (Fortune 500, banks, governments, etc.) have dealt with security issues. Many are doing an OK job, and getting better all the time. But some... I'm telling you, it's frightening, really. They are so clueless that they cannot even begin to understand how bad their situation is.
It's the same with developers. Some are so clueless about security that they don't even realize how little they know. You tell them to salt your passwords to prevent dictionary attacks and all they hear is blah blah passwords blah blah blah blah.
Ville Laurikari on May 6, 2009 7:27 AMWhen people talk about dictionaries in reference to password cracking, they don't literally mean your copy of websters. Your password was vulnerable to a dictionary-based attack which is the important part. Who knows why... probably replacing some common letters with number or symbols. The important part is that any time you base your password on a word(s) in the dictionary you're vastly reducing the number of possible passwords that need to be checked.
btmorex on May 6, 2009 7:29 AMSo if Malte was right, who to blame? The guy that logged in as you made an even bigger mistake (could have been a setup).
// Rutger on May 6, 2009 7:33 AMhttp://xenoterracide.blogspot.com/2009/05/jeff-attwood-fails-at-password-security.html I decided to write out what I thought of this post and what I feel are inaccuacies.
Caleb Cushing ( xenoterracide ) on May 6, 2009 7:34 AMI've started to use PasswordMaker for FF and SeaMonkey. It will store the password for you too. I use multiple Master Passwords, so it does get fun guessing at what is the password for the application. Some of them I'm able to figure out if I've entered the wrong Master Password because I make some association with a word with each password I use so I can spot the wrong ones.
I believe that passwords became invalid with the advent of the internet. They can not be made safe nor secure.
Philip on May 6, 2009 7:39 AMEveryone (including Jeff) please read http://marcoslot.net/apps/openid/ and some other info on OpenID to see how it's a giant security risk.
Back in the day we spoofed the unix login with a csh script to steal passwords. Same thing works in OpenID.
Michael C. Neel on May 6, 2009 7:40 AMUh, Malte said: The most likely cause was that you used it on his site and he is logging passwords or saving them un-hashed. He didn't say anything about reverse lookup on the hash.
Tim on May 6, 2009 7:41 AMHa! I can do you one better. I once worked on a web application that didn't even hash the passwords. They were just plain text in the database. So I immediately suggested that we hash and salt the password to increase security, but there was a feature on the application to email the user their password if they had forgotten it. I explained that had to change, because we would no longer be able to retrieve the password, since it would be hashed. Instead, we would email them a link to where they could reset their password. They thought this would be an inconvenience to the users. So to prove how big a problem this was, I picked the first user in the database that had an @yahoo.com email address, went to mail.yahoo.com and used the same password they were using for our site. Sure enough, we were logged right in.
Anonymous Coward on May 6, 2009 7:41 AMI just use the Password Maker plugin for Firefox, I only have to remember the one password, and no website gets my private key (salt really).
Brad Gilbert on May 6, 2009 7:42 AMMD5 is hashing algorithm, not an encryption scheme. Two words can produce same MD5 hash, it is called MD5 collision. For more information, Google is ur friend, http://www.google.com/search?q=md5+collision
Saravanan on May 6, 2009 7:43 AMI'd just google the password. If it returns a result, I'd consider it a dictionary word.
Fred on May 6, 2009 7:44 AMNikNak the clown comes to mind from an earlier post. People in glass houses...
Eagan on May 6, 2009 7:48 AMI can't help but notice that the problem was not yours, but the OpenID provider - should they have been salting their passwords prior to storing? In which case, outsourcing your authentication may be some good advice, but certainly no guarantee.
Have I misunderstood something?
Remi.
Remi Despres-Smyth on May 6, 2009 7:49 AMI use 1Password for Mac and iPhone. It's been a long time since I had to type other than my master password, and the password generator can create impossible to decipher monsters (if that's what you need).
Martin Marconcini on May 6, 2009 7:49 AMFrankly, I thought that it would be more interesting than that. Come on, the guy sent a second mail to explain the hack just for the freaking l33t-51t badge! And wtf was There's a site I help out with that doesn't salt their passwords ... I was able to figure out you were a user on the site some time back !? And finally, oh!, it was some programmer's fault, but wait I am a programmer, does this mean that I'm a l33t-51t hacka!?
(I'm just a bit disappointed.)
q on May 6, 2009 7:50 AMdecided to write out what I thought of this post and what I feel are inaccuacies
I am having a hard time taking an article on inaccuacies seriously. Also, while we are speaking of inaccuracies, you could spell my name correctly..
Jeff Atwood on May 6, 2009 7:56 AMTim, I wouldn't classify marcoslot's attack and openId weakness but just another phishing attack. Entering your password on a non-provider site is just plain silly (it does point out a usability issue with openid but not a security risk)
derby on May 6, 2009 8:00 AMThis is one of the reasons I'm now advocating foaf+ssl. It's a more elegant scheme using browser certificates instead of passwords. You can combine it with OpenID to improve on security.
http://blogs.sun.com/bblfish/entry/foaf_ssl_creating_a_global
Dirkjan Ochtman on May 6, 2009 8:02 AMOne password to rule them all: http://passwordmaker.org/
I use it for everything EXCEPT important sites where I want to change the password. For my Google account for instance, roughly every year I generate a random 10 letter string (IOW (2*26)^10 possibilites) that I store in my wallet and somewhere at home. I obfuscate it slightly so that you can't use it directly should you steal it :)
The only problem with this is that some BRAIN DEAD website restrict the characters you can use for a password. But the MOST brain dead websites are those -- and they exist -- where they force stupid requirements on you while restricting the chars you can use, or the length. Ingram Micro for example is particularly annoying.
NMONNET on May 6, 2009 8:05 AM@Remi:
From what I understood, Jeff used the same password for his OpenID as he did for this (non-OpenID-using) website. The attacker stole the hashed password from the second website, unhashed it, and then tested it against his OpenID to see if Jeff was reusing passwords.
OpenID isn't the vulnerability - Jeff reusing passwords is.
Adam V on May 6, 2009 8:08 AMIn college I used to make money with that same trick. Hack a website that pays people with their paypal account, then use the password they registered with and attempt to log into their paypal account.
Some sites 1 in 3 would work, others 1 in 10.
Same things applies for many MMORP, hack a forum for a guild. And start trying passwords they used on the forum. Success rate is lower than the paypal and egold trick above, but selling their characters goods is way easier.
der4444 on May 6, 2009 8:13 AMBut...it wasn't the fact that the passwords weren't salted that let him get it.
It was the fact that he was a trusted individual and obviously should not have been.
Since he was helping out--I assume as a programmer--he could just as easily have temporarily trojan'ed the log-in screen and got the password that way. Or made a fake log-in screen.
You salt passwords so if someone outside of your trusted group gets a hold of the file, it makes their attack harder. It doesn't help against an inside job.
This guy just shouldn't be allowed on *any* project.
Anonymouse on May 6, 2009 8:20 AMWhile we are all waiting for the mythical promised land of OpenID everywhere, isn't it smarter to
NOT USE THE SAME PASSWORD AT EVERY SITE YOU REGISTER FOR???
:)
A pain in the ass, yes, which is why I use pwdhash. (It's a firefox extension.) It lets you have per-site passwords by entering, essentially, hash(site_domain + your_password) into password fields, rather than a straight password.
Dan S. on May 6, 2009 8:21 AMI think you're being a overly melodramatic in your crusade against people rolling their own user authentication systems.
Seriously, it is not that hard. The fact that many incompetent people try to do it and fail doesn't make it hard. I'm seriously amazed that so many people in this industry fail at something so simple to do.
You make it sound like people trying to roll their own encryption algorithm. Encryption should not under any circumstances be self-developed unless a) you are an expert and b) you submit your work for peer review.
Things aren't nearly so dire for setting up a user authentication system.
1: Generate a random salt value of sufficient length, 8 or more bytes is fine
2: Concatenate salt to user supplied password
3: Hash user combined salt + password with SHA-1 or better
4: Store salt and hash in the database
5: Use SSL for transmitting authentication details
That's it. If any programmer out there can't follow these simple, easy steps to secure their user accounts, they should find some other line of work - say, a waiter or a janitor.
OpenID is great for the convenience factor, but acting like anyone that doesn't outsource their authentication system is an idiot who is doing it wrong because it's so hard to do that noone else could possibly be doing it right is silly and downright incorrect.
Dave G. on May 6, 2009 8:22 AMCan someone link to one of these hash reversing websites?
Photar on May 6, 2009 8:24 AMUnfortunatley, in the real world, who doesn't reuse passwords? Surely you can't expect everyday Joe to keep track of 500 different passwords for all their sites they've signed up to.
This reminds me of the old days, first dot-com era, and for kicks we'd log into people's hotmail accounts because everyone used the same password for our service as their hotmail accounts.
Scary how easy it is for a provider of web services to potentially access your other services, especially if you don't use different passwords.
Moral of the story, use different passwords for different sites. It's unpractical for the average person, but as a techie, I don't have problems using one of the many third-party tools (KeePass)that manage login/password data. You also can't trust the webservice you're using to handle it appropriately on the backend.
todd on May 6, 2009 8:26 AMIt was quidjibo wasn't it?
John on May 6, 2009 8:45 AMHere's how I choose my passwords these days, so they don't repeat too often and yet I have a clue of what it ought to be by context.
My password has 8 characters.
The first two are two meaningful letters I took from the domain name's URL. So, slashdot.com, I use the s and the d from the two syllables.
Next I use four letters of which one is capitalized. The four letters are not dictionary words but can be hacker speak words. Like this, F11n for fun. I could use this fun snippet for sites that relate to fun stuff like gaming.
Finally, the last two letters are actually two numbers to indicate the number of characters the domain name's meaningful part contains, so for slashdot I count 8. Pad it with a 0 and have 08.
So my password for slashdot becomes sdF11n08.
And for OSNews it becomes onF11n06.
And so on. It at least discourages people from easily reusing my password for other sites should they have access to them.
Joao on May 6, 2009 8:49 AMI do something similar to what Whaledawg does.
1) Pick a word or character combination that describes the site in question: so=Stack Overflow, gmail=Google Mail, yahoo=Yahoo.
2) Pick a constant character string to use in all passwords that can be remembered. yaba6319
3) Concatenate them. You now have a pretty difficult password to break that is also different for each site.
Google mail = gmailyaba6319
Yahoo = yahooyaba6319
Stack Overflow = soyaba6319
It isn't perfect but it is a heck of a lot better than using the same password everywhere.
Matt on May 6, 2009 8:54 AMOpenID is not the silver bullet for this problem. Developers are still going to have to write good password storage solutions. Why?
1. People don't want their operation-critical web applications to depend on a third party. If an OpenID provider suddenly goes down (or belly-up) or has their own security breach, there's nothing they can do. By being their own authentication provider, they avoid this.
2. When I explain to a client what OpenID is, you know what he hears? That idiot Kathy in accounting is going to have the same login for my mission-critical application as she does for her Facebook account that got hacked last week.
So, no, I don't think I'll be getting out of the business of storing user credentials anytime soon. But that's okay, because I know how to do it correctly. And while I can't protect every user of every app from doing stupid things, I can advise my clients on what they *should* be doing. If they don't follow my advice, well, I've done what I can. Just like Jeff's OpenID provider did when they told him not to use the same password on more than one system.
Excellent read... slightly degraded I'm sure to hide the total truth, but fun nevertheless; Horror at its peak, huh? :)
What's better is the comments coming in about the informative tips and such -- keep 'em coming!
Cheers
Patrick on May 6, 2009 8:56 AMBy the way, I agree that this is a major let down. It's real but not very sexy. I suppose if the guy was living across the street and was using binoculars to see the yellow post it notes pasted to your computer with your password written on them you wouldn't have bothered posting about it.
At what point do you decide that this is a programming issue and not just a user being stupid and a hacker being lucky?
Matt on May 6, 2009 8:57 AMWait, so you use the same exact password on the site as what you used with your openid provider? Who's fault is that? Several browsers can remember any password regardless how complex, should not be reusing.
Quick test:
1. Generate the MD5sum of your password (e.g. http://www.md5generator.com/ )
2. Google it
If it finds it you're already in trouble. MD5 reversing websites are even more likely to find it; try http://md5.rednoize.com for example.
PHPBB2 stores passwords unsalted. (3 is a lot better.)
Maxim on May 6, 2009 9:03 AMI also run my passwords I need to be secure through a few reverse-hash websites, just to ensure that it's not stored somewhere
Sounds a bit unsafe. If I ran a reverse-hash website, I'd probably go and add to my rainbow tables all the passwords that someone has already searched for on my same search engine.
Also, I hope s/he used HTTPS to connect to the reverse-hash website. ^^
@Anon who said: @Matt (and others with similar rules) you will get 0wn3d
Not as easily as Jeff did. Anyone can be 0wn3d (what are you, a teeny bopper?). The goal is simply to make it significantly harder for the hackers yet easy enough on yourself so that it isn't a nuisance. Jeff is a celebrity. I'm not. I don't have to worry about someone tracking my usage across multiple sites. None of the passwords I generate exist in the online MD5 databases. And I make my variable part cryptic enough to where people aren't going to see the pattern. I'm not going to say how I do it but it is easy enough. You simply need something that you can easily remember for each site.
We needed to create a secure password hashing algorithm for a project and create multi platform/programming language implementations for easy integration.
That requirement created FSHP (Fairly Secure Hashed Passwords)
Fairly Secure Hashed Password (FSHP) is a salted, iteratively hashed password hashing implementation. Design principle is similar with PBKDF1 specification in RFC 2898 (a.k.a: PKCS #5: Password-Based Cryptography Specification Version 2.0)
FSHP allows choosing the salt length, number of iterations and the underlying cryptographic hash function among SHA-1 and SHA-2 (256, 384, 512).
You can reach Python, Ruby, Perl, PHP and Java implementations of it at GitHub (http://github.com/bdd/fshp)
It's also available in PyPI, Rubyforge and CPAN. You can easily install with:
Python: easy_install fshp
Ruby: gem install fshp
Perl: perl -MCPAN -e 'install Crypt::FSHP'
PHP: PEAR package and other platform binaries at http://github.com/bdd/fshp/downloads
But this is kind of circular.
I would love to use and contribute to StackOverflow.com, but I hate OpenID. If my OpenID password gets owned, then I'm owned on several sites. If StackOverflow.com had it's own password scheme, and it got lost, then I'd lose only my StackOverflow.com identity. Nothing else would be at risk, since I use different passwords for different sites.
Adrian on May 6, 2009 9:24 AMSilly, John. Everyone knows that a big, dumb, balding North American ape, with no chin, is spelled Kwyjibo.
http://www.snpp.com/episodes/7G02.html
Peter on May 6, 2009 9:26 AM@Adrian
Yeah, it is a bit of a catch-22.
Optimal safety would be using a different set of credentials at each site you go to. Having one username/password compromised would only allow the attacker access to that site.
But, most people don't want to memorize 15 different username/password combos - so they use the same username/password for all 15 anyway. As demonstrated by Jeff (and yes, I'm guilty of this too, I think most of us are). In this case, I know my user/pass and I've also given it out to 15 other websites and I'm trusting each of them to property secure that information (and many of them won't). That makes much worse than OpenID.
With OpenID, you can trust a single provider with your username/password to authenticate you. Now, you know it, and one very respectable company that you might trust more than 'JoesRandomWebsite' know your information.
Now, if you are the type of person who was following the best practice approach of completely different credentials for each website; you can still do that with OpenId. You just need to create multiple OpenIds (I'm fairly confident you can do that without any trouble).
Name on May 6, 2009 9:40 AMJeff,
you forgot to check the ONLINE MD5 dictionary, apparently.
I still claim this was a hoax, to boost visits to this site.
MD5 lookup? C'mon. This has been around for years and you fell for it.
BugFree on May 6, 2009 9:45 AMOwnz0red ? :)
Kurtz on May 6, 2009 9:45 AMSo, it was a simple problem, after all: if you put all your eggs in a basket, you have to be sure that the basket is well protected. Specially it the basket is provided by someone else (in the case, Jeff putted some logins with the same password.... and the password wasn`t secured in one site).
Come on Jeff, tell us if he got the award :-).
And tell us the password, too! We`re curious about it...
Walter on May 6, 2009 9:46 AMOh, and just to be more precise :
1. Programmers are the enemy.
2. Hey .. wait a second, I'm a programmer!
3. GOTO 1
4. Profit!
And that's why programmers rarely get rich...
Kurtz on May 6, 2009 9:47 AM@NMONNET:
I use SuperGenPass (http://www.supergenpass.com/).
It works pretty much the same. I did not know PasswordMaker, thanks for the tip!
loedu on May 6, 2009 9:51 AMI converted all of my passwords to use the bookmarklet from http://www.supergenpass.com once I heard Jeff's password got stolen. I've been reusing the same 2 or 3 passwords for all of my sites for the last couple of years, so I was pretty vulnerable.
SuperGenPass is great because it's a bookmarklet that creates hashes your password with the domain name of the site you're on. You can fairly safely use the same password on multiple sites and it creates a unique password based on the domain. I took it a step further and use the Advanced options (http://www.supergenpass.com/customize/?advanced) to include a Stealth Password in the generated bookmarklet.
Yeah, you have to guard your master password, but I think this is much better than having to keep track of unique passwords for various sites. Add to that, an attacker would have to know you use the SuperGenPass algorithm to use your master password.
Caleb on May 6, 2009 9:52 AMStop using MD5. Stop using MD5. Stop using MD5.
There is code out there to quickly generate meaningful MD5 collisions. Get out of the stone age and use SHA-256.
Colin LeMahieu on May 6, 2009 9:57 AMNice Approach.
Mobile360 on May 6, 2009 9:57 AMJust to remind people, your most important password these days is your email's password. Don't ever use it for more than just the email and have it as weird as it gets.
Joao on May 6, 2009 9:58 AMAaron G: All of the MD5 vulnerabilities are about creating checksum collisions, not reverse-engineering the original password. Therefore, if the password was salted but stored as MD5, it wouldn't be possible to reverse the hash back into the original password.
Daniel on May 6, 2009 10:10 AMI actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboFormís capabilities for use that arenít even touched on in the Userís Manual for RoboForm. You can get that Report here:
http://www.theroboformreport.com/indexb.html
There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!
Jeff,
So, if you are not using RoboForm (or some other password manager) to create random passwords for every site the only explanation I can come up with is you are either Cheap, Lazy or Stupid. Which is it? Heck RoboForm even has a free version for up to like 10 sites. Use for high value logins like your bank/openid provider/etc.
RoboForm (1Password for Macs) is drop dead simple. You only have to remember 1 password and that password is only used locally.
BOb
What will you do with the guy? I say let's give him the SO badge, he seems nice
Pablo on May 6, 2009 10:28 AMActually I'd say you're wrong about most OpenID providers being vulnerable to a dictionary attack. Most password schemes require like letters a number and at least 6 characters (maybe 8) long. Being this is common, most brute force tools will actually tack a number on, or even change case Bunnies1 is probably vulnerable to most tools, but would get bye a fair number of webapps as an acceptable password.
Caleb Cushing ( xenoterracide ) on May 6, 2009 10:36 AMInteresting to have this happen a few days after most of the internet backed up 37 Signals when it came out they weren't storing salts with their passwords. Has the internet forgotten already?
Interrupt on May 6, 2009 10:37 AMyou forgot a key issue of the problem here: that you're using md5. use ripemd-160 with a salt. there's a ripemd-160 provider built into the base .NET libraries.
someone named the same name as me on May 6, 2009 10:37 AMMany of the current hashes were made back in a time that it wasn't practical to reverse them in to their possible origins. That's no longer the case. Even with salting - although that does make it exponentially harder.
Instead, I like to:
1. encrypt the password - this almost randomises the ASCII and makes use of the full spectrum, even values you can't logically use such as zero. The encryption of the password can be salted.
2. hash the password - this removes the option of storing an actual password.
3. repeat steps 1 and 2 using different algorithms.
If you know what you are doing then the longer it takes you to calculate and store the value the longer it will take to hack.
Oh - and I don't bother with standard algorithms. I like customising them a bit. I don't need to keep to any standards because the password is limited the specific software and doesnít need to be interoperable.
A lot of hash and encryption systems are for encrypting and signing at one place by a sender and verifying and opening at another place by a receiver ñ in this situation the software is both the sender and receiver, and is in-place. So using a standard algorithm just makes it easer for a hacker.
Personally I feel that we should make sure that anyone working on security has certifications in security rather than an every-day non-certified programmer. I'm not saying an every-day programmer can't do security, just that anyone doing security should certify that they are capable and competent.
Philip on May 6, 2009 10:39 AMDude, I told you in the last part, and I'll tell you again: not being a dictionary based word is hard. And do you know how dictionary attack works? http://www.merriam-webster.com/dictionary/ is a pretty poor dictionary check.
h on May 6, 2009 10:45 AMalso noting your 'md5' note, see 'rainbow tables' all hashes up to 8 characters are stored, and reversed.
Caleb Cushing ( xenoterracide ) on May 6, 2009 10:56 AMJeff, I work at Merriam-Webster's website, and I just checked the logs for recent queries that weren't found in our dictionary... j/k
So this hack was number 3 on your account? ( http://twitter.com/codinghorror/status/1700181914 )
David G on May 6, 2009 11:13 AMJeff,
You don't mention the shoulder surf on your list of password acquisition methods. I think it is worth mentioning this old and crude technique because
1/ There is a danger of getting bogged down with more technical methods, and not seeing the wood for the trees
2/ In this day and age it isn't always as simple as looking out for someone standing behind you! More about this here:
http://www.softwaredebugged.com/computer-security/personal-computer-security-two-simple-precautions/
- Mark.
Mark Radford on May 6, 2009 11:22 AMI have a question.
Why is it relevant that the site didn't salt the passwords? Surly if the guy helped on the site, he would have known the salt, which makes the whole existence of said salt moot?
Syd on May 6, 2009 11:36 AMSo, does the guy earn the Hacker badge?
Eric Burdo on May 6, 2009 11:52 AMInquiring minds want to know: DID HE GET THE HACKER BADGE?
Charles on May 6, 2009 12:00 PM@Syd: No, when you salt the password, you prepend it with a random string which, even if a hacker knows the salt, makes the password longer. Long passwords cannot be cracked with rainbow tables, or these MD5 reverse lookup sites, because you can only lookup the hashes of passwords up to a certain length. They basically go through every possible string, get its hash, and store it for lookup. Passwords longer than say 15 chars make this impractical.
Gabriel Ross on May 6, 2009 12:00 PMJeff,
Until there is some form of standard in security protocols among OpenID providers, I will not trust any of them. I know of a provider who is claiming to do precisely this outsourcing to third-party websites so they don't need to do any user account or profile management, who will accept script tags in their user profile fields...yes, you're reading right - no need to even do eval() tricks to get it to take javascript. How can I be sure, as a normal (L)user, that my OpenID provider is safe secure? Do I have to hire someone to audit them?
Thanks for a great couple of posts!
Mike on May 6, 2009 12:03 PMYou shouldn't use OpenID for various reasons.
OpenID:
-You giving away a key for houses away for free to let other people lock up the doors.
-Your puplicing your identity for free and enjoy it.
-You bind your ID to a provider who can close, if so you can forget about logging in to sides which have nothing to do with the closed provider.
- It doesn't prevent Phishing, it just enables a fisher to log in to more sites a lot easier
To be sure you can trust an openid provider (and no, i don't trust google, look at the terms of use) you need to set up an own OpenID provider.
I would not log on with a third party provider for logging on just because the programmer of a site is to lazy or incompetent to write a own login mechanism.
And sreg is like sharing your personal data with ease to other sites which just don't need to know them. For gods sake, even a lame unsalted md5 hash is better than openid.
offler on May 6, 2009 12:08 PMLots of posts about salting. Use the new, warmed up, salt-rehash, orange-256 MD% kaboodle.
BugFree on May 6, 2009 12:21 PMwouldn't use openid anyway.
DawnOfWar on May 6, 2009 12:21 PMAll the technology in the world means nothing when the password, intended to be typed by a human, is hard to remember. Most computer-generated passwords fit into that category.
It gets written down somewhere, including in pencil on the keyboard.
The password I selected for one corporate environment is something I can remember how to type, but I don't know what it is. I hold down a certain modifier-key (shift or control or the like) and walk across the keyboard in a pattern that I like. I remember the pattern, and that's my password. Jesus only knows what the password is -- I make it a point to not know, or care.
I just know how to type it.
Jeff Bowles on May 6, 2009 12:23 PMThere are more OpenID providers than websites accepting OpenID for login...
Nicolas on May 6, 2009 12:24 PMWhy would this person get a hacker badge?
He had access to a hash of Jeff's password. It was more of an exploit than a hack.
Kevin on May 6, 2009 12:28 PMAt least they were hashed. Sites like plentyoffish.com store them in plain text and reguarly email them to their users...
Ollie on May 6, 2009 12:38 PMJeff,
Thanks for your incredibly useful post. I know a bit about it but it is so easy to let your guard down and forget that we are all vulnerable...even those of us who know a bit.
The thing this post reminded me of is that I pretty much presume that most of the sites where I have a login is doing it the right way (hashing with a salt). But that is probably opposite from the truth. (One way to know...if you lose your password and the site is able to send your password then they are encrypting the password (we hope - redddit redux) not hashing with salt.) Of course for trivial sites this is not so bad (or is it?) but for all sites where security is hugely important (banks, paypal etc) you wonder if they are hashing? But even for those that are hashing...there is no way to know if they are salting?
For the record...one thing I do is I give EVERY site I join a unique random password of various strength (depending on importance) and store that data using RoboForms and one impossible to guess password which I have memorized. Of course...if that is ever compromised then a hacker would have the keys to my kingdom. (Guido could break my legs or threaten my family I suppose...but if my data ever becomes that important then I suppose I will have a bodyguard, too.)
One last thought...for my personal computer...isn't a biometric solution LESS secure than a strong password. If Guido wants to hack my computer all he has to do is kill me and cut off my right index finger. Gruesome thought. Not perfectly related to your posted but I recently thought of that.
Thanks for the great post.
Seth Spearman
Seth Spearman on May 6, 2009 12:51 PM@Doug T:
Maybe it's another one, but *something* tells me his OpenID address is http://www.codinghorror.com/, delegating to http://codinghorror.myopenid.com/.
Daniel on May 6, 2009 1:08 PMAre you equipped and willing do everything necessary to protect idiots like me from myself? That's a key part of the promise of OpenID
I've yet to be convinced that that is a promise OpenID can keep. Even if you can guarantee that all OpenID providers are as secure as possible, I think idiots will still find ways to make fools of themselves. For example, how do you protect an idiot from phishing attacks, or from simply handing over their password for an Easter egg.
ìWe outsourced our user credential system to people who are much better at it than us (well, depending on which OpenID provider you pick). ì
But you didnít outsource the task - you make every user responsible for their own outsourcing. How is an idiot supposed to work out which are the secure providers?
If you know or obtain the salt the password can still be comprimised using MD5 cracker. easy passwords take 5 mins.
Drew on May 6, 2009 1:23 PMGabriel Ross -
@Syd: No, when you salt the password, you prepend it with a random string which, even if a hacker knows the salt, makes the password longer. Long passwords cannot be cracked with rainbow tables, or these MD5 reverse lookup sites, because you can only lookup the hashes of passwords up to a certain length. They basically go through every possible string, get its hash, and store it for lookup. Passwords longer than say 15 chars make this impractical.
Close, but want to clarify a bit. The length of the hash is not what makes salting effective. If you put ABC in front of all your passwords before hashing, you aren't changing the length significantly, and you certainly aren't making your site impervious to rainbow attacks. If the attacker knows your seed they can then generate a rainbow table where all solutions are ABC plus 1-8 characters.
For the examples below, imagine a user who uses abc as their password at every site.
The MAIN benefit of seeding is that it turns a good enough solution into a wrong solution. ABCabc and ABCxyz may well turn out the same hashcode (they don't, but pretend they do); this is the nature of a one-way hash. It is, however, highly unlikely that that is true AND that abc and xyz *also* turn out identical hashes (assuming a hash algorithm like MD5 where prefixes do not uniformly affect the output hash).
Thus, while the rainbow table will show that ABCxyz is one valid (seeded) password for your site, and therefore xyz *might* have been entered by the user, and indeed, entering xyz at the login for your site will let them in, entering xyz at another site where the user used the same password would NOT work (because they hashed abc, which hashes differently from xyz).
Likewise, if abc and def turn out to have the same hash, and another site is compromised and the user is thought to be using def for his passwords, then entering def on your site will not work (because ABCdef and ABCabc do not hash to the same value, even though abc and def do).
The importance here isn't so much the *secrecy* or *security* of your salt, but rather the *uniqueness*. If another site with the same salt and the same users is compromised, you are open to attack. However, even the most basic salts provide a huge level of protection larger than no salt (which due to lazy programmers is almost always going to be non-unique).
Tom Dibble on May 6, 2009 1:29 PMI somewhat disagree with the common opinion about internet and security.
What we need are better laws, not more security.
Imagine you had to build your house in a way to make it completely secure. No more windows, doors with about 10 keyholes and codes (to be changed all the time), tank safe walls and so on.
And yes, we spend a lot of money on security. Not always in a successful way, anyhow. :-)
Sadly the internet still is in some sort of wild west times. This needs to be changed. Yes, worldwide.
I would therefore say, it is not the programmers fault as long as they take some precaution to protect their users. It's the politicians fault not to protect the programmers from outlaws.
And I'm quite shocked that someone who obviously stole other peoples money is proud to tell about it on this very blog (and gets away with it).
:m) on May 7, 2009 3:14 AMThis is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
| Content (c) 2009 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email
Posted by: |