Tuesday, February 22, 2011

Password Security

I went to a seminar at lunch today over at National Instruments. Some group called "OWASP" that had me on their mailing list. It was free, about hacking passwords using the GPU, so I gave it a shot.

The speaker, Rick Redman of Korelogic, is a professional hacker who is hired by companies to try to break into their systems.

How passwords are stored: Typically when you sign up to some internet site (facebook, blogger, paypal, etc.) you have to enter a username (or email) and password. They store the password on their servers. Usually they run the password through some encryption and store the encrypted password. An example of a simple (crappy) encryption algorithm would be to increase every entry by one. Make every 'a' a 'b', every 'b' a 'c', every 'S' a 'T', every '6' a '7', etc. Here's some examples:

Un-encrypted password
Pencil
Number1Hasher
Encrypted Password
Qfodjm
Ovncfs2Ibtifs
When you enter your password "Pencil" the first time they store the encrypted password "Qfodjm" in their password file. Then everytime you log in and enter your password it runs it through the same encryption algorithm and verifies it matches. "Pencil" will yield "Qfodjm" and match while "Pancil" will yield "Qbodjm" and fail.

There are less than a dozen common encryption algorithms. Some are fairly simple (not nearly as bad as mine) and some are quite complex but the algorithms are all known and readily available. Usually the more simple algorithms are used because it takes more CPU cycles to execute them or the implementer is just lazy.

A couple years ago a company called "RockYou!" wrote a plug-in for facebook. They asked for you facebook password so they could link in with your facebook friends, interests, etc., and said they would never store the password. Well it turns out they actually did store it and they didn't even bother encrypting them. They had horrible security on their own server and someone hacked it using an old, well-known hack (SQL injection?) and got full access. They snooped around and found a file called something like "passwords.txt" which contained 32 million un-encrypted text format. The hacker posted the file on the net and hackers around the world downloaded it and went to town. The entries looked something like this:

username
email
password
johnsmith
jsmith@aol.com
pencil
janedoe
janedoe1@myspace.com
123456
superhasher
hasher1@yahoo.com
onon
So now you could hack anyone's facebook account that used "RockYou!". Not really a big deal in itself, but the password file was gold. Turns out most people love to reuse passwords, so the hackers simply went to paypal and tried to log in using these email accounts and passwords. Most didn't work but a whole bunch of them did work and then it was just a simple matter to tell paypal to transfer money from these user's accounts to themselves. After paypal they tried the same idea on a few of the major banks and mutual fund companies next and, well you get the idea... Yikes!!!

Not done yet... Before this the hacker community had a "dictionary" of what they thought were the most common passwords they'd use when trying to hack into an encrypted system. An amazing number of people use things like "password", "password1", "pencil", their favorite sports team or college, etc. So there was a dictionary of about 500 words that were tried against every account. The list wasn't that good so their success rate of cracking the passwords were low. But now they had a list of 32 million actual passwords that people used. They piped this into a spreadsheet and found the most common ones, and then updated and vastly improved their dictionary. To illustrate how poor of passwords are commonly used, here's the top 10:
  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. iloveyou
  6. princess
  7. 1234567
  8. rockyou (hacked website was "rockyou")
  9. 12345678
  10. abc123
By having this huge database they vastly improved their knowledge of what people commonly use for passwords, so they can had a better dictionary and were able to write smarter algorithms for hacking passwords.

There's a couple of free tools they recommended: John The Ripper, hushcat, and oclhushcat. John is open source, the other two aren't. oclhushcat is valuable because it uses the GPU instead of the CPU, which is at least 2 orders of magnitude faster. You feed these tools an encrypted password, some parameters like the dictionary and what to check for, and it uses brute force to tries every combination of password you specified to find a matching solution.

What I came away with:
  1. Never use the same passwords for goof-off accounts (facebook, blogger, etc) as I do for ones with data I need to protect, i.e. online banking.
  2. Verify that my "strong" passwords weren't on the list.
  3. Avoid using any site that has access to your money that forces weak passwords. For instance, RockYou! would not allow special characters.
  4. Have a better idea of what people commonly do and avoid it:
  • Mix lower and upper case letters, and don't just capitalize the first letter, i.e. "Password"
  • Add numbers and not just at the front or back, i.e. "password123"
  • They know all the tricks for substituting numbers/special characters for letters, i.e. '3" for 'E', '$' for 'S', 'I' for '1", etc.
  • Horizontal keyboard patterns like "qwertyuiop" (top row) are well known and checked for
  • Vertical keyboard patterns like "NHY^6yhn" are known too. (Up in caps, down in lower case)
  • People love putting in dates, i.e. "2011", "Feb2011". These are used especially when they have to change their passwords monthly.
  • Common and uncommon names of people, places, sports teams, etc are known.
Last of all he said the best hash encryption algorithm was bcrypt, MD5 the worst. They may have to try several million passwords to find a match, each time running through the encryption algorithm. It takes a couple seconds to compute bcrypt, which kills their brute-force methods whereas MD5 takes a few milliseconds.

There was a guy last year at defcon who built a machine with 6 high-end GPU cards. It could crack any 8-character MD5 password in 2 minutes (or something along those lines...) This is by using brute-force, i.e. checking every possibility of every character combination (6.6 quadrillion) instead of using intelligent search patterns. A longer password stored with bcrypt would take much longer but could still eventually be cracked. The idea is to make it so time-consuming (in terms of CPU cycles) that they'll give up and find easier prey.