Pages

Wednesday, June 6, 2012

Is Your Linkedin Password Secure?






Overview
LinkedIn passwords database got hacked, and 6.5 million encrypted passwords got posted on the Internet. There exist various programs to reverse engineer encrypted passwords and the passwords are actively being cracked by hackers. As of 6/6/2012, almost 160K of them are available in cleartext on the Internet.

Are you Secure?
Dustin Hilgaertner (an architect at Cinchcast) and myself developed a simple application which checks if your password has been compromised or not. Basically, it does a simple lookup in the cracked password file, which is circulated around, for your cleartext password. The password you enter isn't logged at any point.

The URL to check if your password is compromised or not is:

http://ismypasswordhacked.herokuapp.com/


If you don't trust entering your password, you can download a list (as of 6/6/2012) yourself, and search for your cleartext password there


http://ismypasswordhacked.herokuapp.com/linkedin.passwords


Afterthoughts
I like to compare security to maintaining your bathroom. If you do a great job, then nobody says thank you. But if you screw up, and the bathroom starts leaking, then all hell breaks lose. Unfortunately, value of security isn't recognized by many companies, so securing the systems always takes a back seat to other business priorities. This seems to be the case here - an older SHA1 algorithm was used to obfuscate passwords, instead of newer SHA2, and what's worse the passwords weren't salted which is a basic security tenet.

Even though the breach details aren't available yet, my guess is that social engineering and custom trojans (APT) were used to get into an internal network. In this exploits,  a hacker sends a seemingly innocuous file to an internal employee with an Excel spreadsheet or a Winword document which contain a custom virus. Once the employee opens it, a virus is installed on the system creating a backdoor for attacker to poke around the network. Because the virus is custom-crafted, most anti-viruses or intrusion detection systems don't notice it.   After the attacker is on the network, most of the time the game is lost.

Advice
If you want to learn five simple rules to keep your organization secure, you can listen to my audio podcast recorded using Cinchcast Technology:

The slide deck is below:



Reactions:

10 comments:

You *could* use a sha2 family hash, with custom code to handle salt generation and more custom code to handle multiple hashing iterations. Or you could just go with bcrypt.

Plain old salt +sha2 definitely won't cut it. It's simply too easy to calculate on modern gpu hardware.
http://thepasswordproject.com/oclhashcat_benchmarking

ANd lets remind everyone:
http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
DOO EET!

Today passwords passwords are effectively useless. The industry needs to move identity and access beyond passwords. There will always be a way to steal them, hack them, or bypass them so why waste the effort. If a password can be remembered its useless.

Re - yes : 2-factor authentication is a future. Google and many other companies are moving towards that. If your IP looks unusual, require 2-factor authentication.

@Jason - if you use bcrypt - secret key must be stored somewhere, so it's as easily reconstructable if secret key is out there.

Ultimately, none of encrypted passwords at a particular length of plaintext are secure because you can brute-force enumerate them.

+ if you manage to plant key loggers, after infiltrating the internal network you are screwed. 2-factor is the future.

What about using a different hashing algorithm besides the industry standards? There are a couple of candidates for the NIST SHA-3 competition.

http://en.wikipedia.org/wiki/NIST_hash_function_competition

@radius314 - if you don't salt the password, it won't change anything.

Yes, I agree, salting and a non-standard hashing algorithm

re: "@Jason - if you use bcrypt - secret key must be stored somewhere, so it's as easily reconstructable if secret key is out there."

Wrong bcrypt. I've made this mistake before too. @jason is referring to

http://static.usenix.org/event/usenix99/provos/provos.pdf

which does not use a secret key. There are some other things named bcrypt which do regular secret-key encryption which are, as you correctly say, not appropriate.

If you are handling passwords, this or equivalents such as http://www.akkadia.org/drepper/SHA-crypt.txt which is used in glibc, et al. is the way to go (and ideally with other additional factors).

thanks!

@ngalbreath

LinkedIn is one of the most popular profile finder for those who are on the corporate business world. Like engineering companies in calgary, they make it a point that the info stated there are reliable and true and that they agree on some security agreements to avoid hacking.

Post a Comment