At least once a week there seems to be news about a major website getting hacked. Afterwards, all over the Internet lists with account information turn up and major panic breaks out. Commonly, those passwords are said to be “encrypted”, but still part of them gets cracked, as we saw in the recent LinkedIn case. So, how does this work and how should we react?
First of all, we assume that major website commonly store the passwords safely. This does not mean that nobody will ever be able to steal them, but it does mean that if someone is able to do so, it is theoretically very hard to find the passwords. Yes, security experts will always point out the mistakes made by big leakages, but there is a wide range of shades between very bad and very good protection.
They ARE “Encrypted”
Having cryptographic groundwork in my education, please let me clear a very common misunderstanding. Encryption is about making information unreadable to anybody that does not have the key to do so. This information can be recovered by unlocking it using this key.
For passwords, we use so-called one-way hashing functions. Such a function cannot be reversed. Thus, to verify a password, I need the original password. This password will be ran through the hashing function and the result, which is commonly called a hash, is compared to the hash stored with the provider. Therefore, when a database of passwords is stolen, they still cannot be reversed.
So, How Come My Password was Cracked?
Nevertheless, in most cases, passwords do turn up on the Internet. There are three reasons that can cause this. These reasons are, from least to most likely: the one-way hashing function is broken, the hashing function has been implemented wrongly, or the password was weak. Yes, the most plausible reason is probably our inability to remember seemingly random sequences of characters.
Is My One-Way Hashing Function Broken?
At this moment, two hashing functions that are very commonly used and are broken are MD5 and SHA1. However, when I say broken, I mean theoretically broken, which means that there are a lot of remarks to be made. So, let me take you on a ride through cryptography for a moment.
A one-way hashing function needs to have two properties. Namely, the result needs to be unique and random, i.e. one should not be able to deduce the original input. Of course, it is impossible to realise this, which is why such functions can be broken. There are three types of a hash function getting possible. Firstly, the attacker may be able to recover the original input. Secondly, the attacker may be possible to get another input that yields the same result given a certain hash. And, thirdly, the attacker may be able to find two different inputs that generate the same result.
Of all the broken hash function, most attacks are of the weaker two types. This means that, reversing the function still is very hard. Thus, your password is not easily retrieved from the stolen information. What may be possible, is that another password that will also be accepted by the hash function is found. This is still bad, but it is less likely that your password is compromised and you need to change it on all the websites where you use it. On a side note, there are possible methods of implementing a hash function in a way that this second password will not be accepted at all, e.g. salting. Nevertheless, I will refrain from getting into even more cryptographic details.
Weak Passwords: You Will Pay Eventually
It may become clear that it is most likely that your password is just weak. For attackers, it can be very easy to try all words in the dictionary, including some common variations, or all passwords of a certain small length. Actually, there are databases, so-called rainbow tables, that contain hashes for common words, in which your hashed password can just be looked up.
The use of weak passwords also explains why only part of the stolen passwords gets found, and not all of them. The majority of all passwords is just names, words and dates, which makes it a walk in the park to break them. So, before all fingers get pointed at the hacked website, make sure you also point one at yourself for making it so incredibly easy to take the last hurdle from hash to password.
The Damage has been Done: Let’s Do Something!
The news is just out: your favourite website has been leaking. It is time to take some precautions. However, it is not useful to go to that website to change your password, because, at this moment, that website is compromised and should not be trusted until the owner of that website mentions that the leak has been fixed. After all, it is possible that your new password will get leaked just as easy.
What you should do is change your password on all sites where you use the same password, because that is where the risk lies. See it this way: if they were able to get the account information out of a website, they can probably access anything there. However, the attacker wants your password, to see if you use the same password for a more sensitive web application.
Oh Well, They Stole my Password. Again.
Yes, these things happen, and it can be painful. Nevertheless, when a website implements its protection mechanisms correctly, the leakage of account information does not have to mean the leakage of actual readable passwords. So, when you keep caution and use strong passwords, you do not have to lie awake at night.
TagsAcademia Anonymity Banking Security Chip and PIN Cloud Computing Cookies Copyright Cryptography Cybercrime Data Protection DDoS Decentralisation Decryption Duty Deep Packet Inspection Democracy Digital Activism Digital Voting E-mail Election Security EMV Encryption European Regulation on Data Protection Freedom of Assembly Fundamental Rights Game Theory Identity Protection Internet Nemo Tenetur Netneutrality Passwords Police Privacy Profiling Remote Search Science Service Oriented Computing Signatures Smart Cards Spam Technocracy Tor Transparency Transport Layer Security Trust Voting
- Het Heerengymnasium: tweede deel
- Het Heerengymnasium: eerste deel
- Debuutroman “Op zoek naar het rendement” nu beschikbaar!
- Non-proliferation of cyber weapons with a CBRN consequence: An exploratory analysis
- Culpa in causa in technica: een verkenning van de schuldvraag in het strafrecht bij een gehackt hersenimplantaat
- January 2017 (2)
- September 2016 (1)
- November 2015 (1)
- July 2014 (1)
- June 2014 (1)
- April 2014 (1)
- January 2014 (1)
- September 2013 (2)
- August 2013 (1)
- July 2013 (2)
- June 2013 (1)
- March 2013 (1)
- February 2013 (4)
- January 2013 (4)
- December 2012 (2)
- November 2012 (7)
- October 2012 (9)
- September 2012 (9)
- August 2012 (10)
- July 2012 (10)
- June 2012 (10)
- May 2012 (2)
- November 2011 (2)
- July 2011 (2)
- June 2011 (1)
- May 2011 (2)
- January 2011 (2)
- November 2010 (1)
- June 2010 (1)
- May 2010 (1)
- March 2010 (1)
- Collaborative Efforts (25)
- English (64)
- Fiction (3)
- Geen categorie (1)
- Nederlands (Dutch) (31)
- Publications (30)
- Scientific Papers (12)
- Stories (2)
- Topics (54)
- Views (47)