At least once a week there seems to be news about a major website getting hacked. Afterwards, all over the Internet lists with account information turn up and major panic breaks out. Commonly, those passwords are said to be “encrypted”, but still part of them gets cracked, as we saw in the recent LinkedIn case. So, how does this work and how should we react?

First of all, we assume that major website commonly store the passwords safely. This does not mean that nobody will ever be able to steal them, but it does mean that if someone is able to do so, it is theoretically very hard to find the passwords. Yes, security experts will always point out the mistakes made by big leakages, but there is a wide range of shades between very bad and very good protection.

They ARE “Encrypted”
Having cryptographic groundwork in my education, please let me clear a very common misunderstanding. Encryption is about making information unreadable to anybody that does not have the key to do so. This information can be recovered by unlocking it using this key.

For passwords, we use so-called one-way hashing functions. Such a function cannot be reversed. Thus, to verify a password, I need the original password. This password will be ran through the hashing function and the result, which is commonly called a hash, is compared to the hash stored with the provider. Therefore, when a database of passwords is stolen, they still cannot be reversed.

So, How Come My Password was Cracked?
Nevertheless, in most cases, passwords do turn up on the Internet. There are three reasons that can cause this. These reasons are, from least to most likely: the one-way hashing function is broken, the hashing function has been implemented wrongly, or the password was weak. Yes, the most plausible reason is probably our inability to remember seemingly random sequences of characters.

Is My One-Way Hashing Function Broken?
At this moment, two hashing functions that are very commonly used and are broken are MD5 and SHA1. However, when I say broken, I mean theoretically broken, which means that there are a lot of remarks to be made. So, let me take you on a ride through cryptography for a moment.

A one-way hashing function needs to have two properties. Namely, the result needs to be unique and random, i.e. one should not be able to deduce the original input. Of course, it is impossible to realise this, which is why such functions can be broken. There are three types of a hash function getting possible. Firstly, the attacker may be able to recover the original input. Secondly, the attacker may be possible to get another input that yields the same result given a certain hash. And, thirdly, the attacker may be able to find two different inputs that generate the same result.

Of all the broken hash function, most attacks are of the weaker two types. This means that, reversing the function still is very hard. Thus, your password is not easily retrieved from the stolen information. What may be possible, is that another password that will also be accepted by the hash function is found. This is still bad, but it is less likely that your password is compromised and you need to change it on all the websites where you use it. On a side note, there are possible methods of implementing a hash function in a way that this second password will not be accepted at all, e.g. salting. Nevertheless, I will refrain from getting into even more cryptographic details.

Weak Passwords: You Will Pay Eventually
It may become clear that it is most likely that your password is just weak. For attackers, it can be very easy to try all words in the dictionary, including some common variations, or all passwords of a certain small length. Actually, there are databases, so-called rainbow tables, that contain hashes for common words, in which your hashed password can just be looked up.

The use of weak passwords also explains why only part of the stolen passwords gets found, and not all of them. The majority of all passwords is just names, words and dates, which makes it a walk in the park to break them. So, before all fingers get pointed at the hacked website, make sure you also point one at yourself for making it so incredibly easy to take the last hurdle from hash to password.

The Damage has been Done: Let’s Do Something!
The news is just out: your favourite website has been leaking. It is time to take some precautions. However, it is not useful to go to that website to change your password, because, at this moment, that website is compromised and should not be trusted until the owner of that website mentions that the leak has been fixed. After all, it is possible that your new password will get leaked just as easy.

What you should do is change your password on all sites where you use the same password, because that is where the risk lies. See it this way: if they were able to get the account information out of  a website, they can probably access anything there. However, the attacker wants your password, to see if you use the same password for a more sensitive web application.

Oh Well, They Stole my Password. Again.
Yes, these things happen, and it can be painful. Nevertheless, when a website implements its protection mechanisms correctly, the leakage of account information does not have to mean the leakage of actual readable passwords. So, when you keep caution and use strong passwords, you do not have to lie awake at night.

One Response to Oh No, They Stole my Password! Now What?

  1. […] Are Inherently Insecure Apparently, the fact that passwords are not so secure needs to be stressed over and over again (29 June 2012). The wonderful thing about banking cards is that they provide a (presumably) trusted device that […]

Leave a Reply

Your email address will not be published. Required fields are marked *