You know I'm referring to passwords right?

Also from the article:

"studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst."

Did that study include *nix admins?

Also from the BBC, an an analysis on the Adobe passwords that were leaked. No real news here, except to say people still choose terrible passwords....

Top 20 passwords

• 123456
• 123456789
• password
• adobe123
• 12345678
• qwerty
• 1234567
• 111111
• photoshop
• 123123
• 1234567890
• 000000
• abc123
• 1234
• adobe1
• macromedia
• azerty
• iloveyou
• aaaaaa
• 654321

Following on from my Storing Passwords post, here is an excellent and far more comprehensive discussion of password storage (albeit in a .NET context) from Troy Hunt.

A while back, one of the guys here at work set up an open source collaboration web app to exchange some files with a customer, being an inquisitive chap I thought I'd take a wander through the source code to see how it fared from a security stand point. My first port of call for these sort of things is usually to have a look at how they're doing authentication and in this case they're doing (arguably) the right thing or, at least better than a number of other web apps out there and storing an individually salted sha1 hash of the password, they also offer the option of LDAP integration, so far so good.

The code for validating password complexity when setting passwords turned out to be a bit more interesting, the user’s password is stored with the other user details in the user table in MySQL, but there is also a password table, and the passwords in it don't look like sha1 hashes... A little more digging through the code reveals this table to be a password history table, but this doesn't explain why the passwords aren't just stored as hashes, there are also a couple of functions with ominous names called within the password reset code (cp_encrypt and cp_decrypt) that take the password as a parameter... eeek! Also, testing confirms that not just the history, but also the current password is stored in this table.

1:  function cp_encrypt($password, $time){  
2:      //appending padding characters  
3:      $newPass = rand(0,9) . rand(0,9);  
4:      $c = 1;  
5:      while ($c < 15 && (int)substr($newPass,$c-1,1) + 1 != (int)substr($newPass,$c,1)){  
6:          $newPass .= rand(0,9);  
7:          $c++;  
8:      }  
9:      $newPass .= $password;  
10:        
11:      //applying XOR  
12:      $newSeed = md5(SEED . $time);  
13:      $passLength = strlen($newPass);  
14:      while (strlen($newSeed) < $passLength) $newSeed.= $newSeed;  
15:      $result = (substr($newPass,0,$passLength) ^ substr($newSeed,0,$passLength));  
16:        
17:      return base64_encode($result);  
18:  }  

1:  function cp_decrypt($password, $time){  
2:      $b64decoded = base64_decode($password);  
3:        
4:      //applying XOR  
5:      $newSeed = md5(SEED . $time);  
6:      $passLength = strlen($b64decoded);  
7:      while (strlen($newSeed) < $passLength) $newSeed.= $newSeed;  
8:      $original_password = (substr($b64decoded,0,$passLength) ^ substr($newSeed,0,$passLength));  
9:        
10:      //removing padding  
11:      $c = 1;  
12:      while($c < 15 && (int)substr($original_password,$c-1,1) + 1 != (int)substr($original_password,$c,1)){  
13:          $c++;  
14:      }  
15:      return substr($original_password,$c+1);  
16:  }  

Looking into the encrypt and decrypt functions, there are a couple of things of note; firstly their very existence tells us that the passwords are being stored in a reversible form in the database, essentially defeating the purpose of storing the password as a salted hash.  This means that an administrator on the system can decrypt and use any user's password; it also means that should the server be compromised an attacker could also trivially decrypt the passwords and use these accounts.  While salted SHA1 hashes are also crackable in short order with the right hardware they do raise the bar somewhat.  To mitigate the SHA1 attack it would be relatively straight forward in this case to swap out the SHA1 function being used and substitute it with a slow password hashing algorithm such as scrypt or bcrypt.

A review of the encryption algorithm being used is also pretty interesting; the developer has chosen to use XOR encryption, the password is padded to 16 characters and XOR’d with an MD5 of a pseudo-random string generated at install and the current date.  In the case of short strings like passwords, this is actually a reasonably effective encryption algorithm as the password is unlikely to be any longer than 16 characters (in the event it is the key material is repeated which introduces a weakness).  However in this context the encryption being used is really academic, the passwords shouldn’t be stored in a reversible format, though when you look at the apparent reasoning behind it there is an interesting security trade-off. 

The impetus behind storing the passwords encrypted appears to be so that the application can do a comparison of the new password with previous passwords to ensure that not only is it different from previous passwords but also that it isn’t too similar to any previous passwords.  The motivation here is noble but, in my opinion, somewhat misguided, a better approach would probably be to prompt the user based on the entropy of the new password while also checking that it doesn’t match any of the previous X passwords.  While this doesn’t solve the problem of having users choose passwords and incrementing a suffix it means that passwords aren’t being stored reversibly, even removing the current password from the history table doesn’t mitigate the problem as users still have a tendency to choose passwords based on a pattern, regardless of the checks that you enforce.  Password selection guidance is still maybe best done as part of a security education program.

This was from a little while back, but I hadn't got around to posting it yet. Dan Kaminsky offering a different view of passwords:

"You know what's amazing about passwords? They totally work," Kaminsky said. "The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."

An easier way to make passwords more secure, Kaminsky said, is to mandate 12-character passwords, but make them all lowercase letters so users can create passphrases that are long but easy to remember. Increasing the length of passwords and thereby making them harder to crack is critical, he added, but it has to be done in a way that doesn't overly tax the human memory. 

He certainly brings up a good point. The problem may not be passwords, but bad passwords. And why do we get bad passwords? The same reason we get single passwords used across multiple systems or people using their birthdays as PIN numbers - "Password1" or "P@ssw0rd" is easier to remember that "w4dHu92#".

But will passphrases change that? It will involve a seismic shift in mindsets and many users having to 'unlearn' what they've been told previously. The 'passphrase' movement has been around for a while and the first reaction from users when you say "Now your passwords have a 12 character minimum" is generally not positive - even if you do away with the complexity requirements. People already forget their passwords with alarming regularity, I'm not sure if passphrases will be must easier to remember.

Passphrases have their limitations too - they don't help with password reuse, and won't stop a user changing "fourscoreandsevenyearsago" to  "fourscoreandsevenyearsago1" on their next passphrase change.

But I do agree with Dan that passwords work better than we probably give them credit for, and maybe passphrases will work a even better.

There is speculation floating around the net that at least one of the recent disclosures of passwords was a SQL Injection attack (my bet would be several), I this find equally as disturbing as the fact that the passwords weren't even hashed. Seriously people SQL Injection? It's 2012...

It's the 90s all over again as a 'death worm' (Morto Worm) is squirming through the internet knocking on RDP ports (3389/TCP). In this day and age an attack as simplistic as this one, it replies on brute forcing admin accounts from a predefined username password list, shouldn't be able to infect any corporate machine....right?

Microsoft have some more info on this retro attack, including listing the usernames it attacks:

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5

...and the passwords:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

If you are using any of those passwords (especially on Windows boxes), change them immediately and go sit in the naughty corner for half an hour.

 The upside of big data breaches involving passwords is that it gives us Security Pros an understanding of what users are actually doing when they're selecting their passwords. The cynic in me thinks that we can spend time trying to educate employees, family, friends and neighbours into using strong passwords and changing them frequently - and they'll nod and smile and agree it is important...and then go back to using 'abc123' on their Internet banking.
I've blogged before on past analysis into exposed passwords, and now with the recent Sony breach Troy Hunt has posted an analysis of 37,000 of the exposed Sony passwords. Does it contain anything groundbreaking? Well..no. It's a good bit of analysis that pretty much confirms what my inner cynic suspected - half of the passwords had only one character type (with 90% of these being lowercase only) and 45% of the passwords were numbers only. Only 4% of the passwords analyzed were what is commonly considered 'strong' passwords.

One of the nice things Troy did with his analysis was compare the uniqueness of the passwords across the different Sony databases exposed - a luxury one usually doesn't have when examining breached passwords - 92% of passwords where identical for the 2,000 accounts that had the same email address. Troy even managed to cross reference these accounts against the Gawker data breach and found of the 88 common accounts 67% were the same.
Oh and '123456' and 'password' were once again in the top few passwords used.

In other Sony related news - did Sony really sack a bunch of Security staff just before the data breach? That adds a new wrinkle to this most newsworthy of all breaches this year. I haven't seen it suggested, but could a disgruntled ex-employee have played a part?

 I recently came across a interesting article about PIN codes on iOS devices where an app developer pulled the login PIN numbers for his app to do some statistical analysis.

His findings are far from encouraging - or surprising - with (you guessed it!) '1234' taking the top spot, followed by '0000' (seriously...why bother with a passcode at all?).

This is pretty much in line with what i've blogged before about passwords. Of course if Mrs Shepherd-Barron hadn't gotten her way, the most popular PIN would probably match the most popular password...'123456'!

On passwords, a developer has taken all the recently exposed accounts and provided a nice web interface to allow you to see if your password may have been exposed. If your'e worried, run your login ID through the checker and see. The site doesn't ask for passwords, but considering many site usernames are email addresses - use it at your own risk!

On better Security news, the DSD (an Australian Government three-letter Agency) has released a preliminary guide to hardening iOS [pdf]. A more in-depth guide is expected in September 2011.

Things have been quiet here at the Circus, as work and Uni have been in high gear alongside preparing for the CISM exam.

I will hopefully be back on a regular blogging schedule soon, in the meantime here is a gem from reddit.com:
Oh dear.

Richard pointed out that the ever-amusing xkcd has a cartoon today that relates to the point I was making in an earlier post (except the bit about google turning evil...didn't that happen already?)

I've been meaning to post this for a little while, ever since I read about the data breach that occurred 'across the ditch' at the popular 'Hell Pizza'.

The cause of the breach was some spectacularly bad development work that had the flash font-end making effectively unrestricted SQL calls to the back-end database. The database contained customer name and address details, their order history and their unencrypted password for the site.

But it's only a pizza website? Who cares!

The problem is that many people use the same password (or a variation thereof) or a wide variety of websites, pizza websites included. When the pizza website gets hacked for usernames, email addresses and passwords, you can bet that someone will try to use those same credentials (or a variation) against other sites, such as webmail, social networking and internet banking. That 'lowly' pizza website and it's abysmal security may have just trumped your higher security internet banking or webmail site.

It's the same old problem we always have with passwords, that people simply have to remember too many passwords. A Microsoft study [pdf] from back in 2007 found that: "the average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day".
From informal discussions I've had with friends and family, I'm surprised the number is 6.5 passwords as the feedback I've received is that the number is closer to 3-4 different passwords.

Unfortunately password-based authentication isn't going anywhere anytime soon, so the advice I give to non-IT people (on top of using complex, non-dictionary, unrelated passwords) is to set themselves with some different 'levels' of passwords.
The bottom level is a 'throwaway' password that you can use for anything that really doesn't matter - your pizza website, one-off registrations to download documents or software or other sites you rarely ever frequent or suspect of low security standards (like internet forums).
The next level of password is for your more frequently used sites with generally better security, like social networking or webmail sites. (While I'd advise to keep social networking and webmail passwords separate, I'm working on the 3-4 password theory...).
The next level of password is your 'online shopping' passwords, such as Amazon or eBay. This is for the types of sites where a password breach could run up a serious bill on your credit cards.
Finally the last password level is your 'high security' password, solely used for internet banking. The important part about the high security password is not only that it is strong, but it is not used anywhere else.

While i admit the above is far from perfect, neither are passwords or people! At least following that advice your average internet user might be somewhat better protected that using the same password everywhere.....

Onto another tasty subject, octopus! (in fact octopi! Or is it octopuses?)

Octopus #1: A hacker in Japan has been arrested for releasing a virus that overwrites files on your PC with manga pictures of Octopuses and Squid. The funny part? It's the second time he's been arrested for this. Two years ago he was arrested for the same thing and charged with copyright infringement as he used copyrighted manga images. To show that Mrs Nakatsuji raised no fool, this time he used images he drew himself so he couldn't be charged with copyright infringement again! While I hope Japan has revised their computer crime laws since his first arrest, you have to admire his logic!

Octopus #2: The Octopus card is a common smart payment card in use in Hong Kong that is used in the MTR subway, convenience stores and fast food restaurants like McDonalds. Everyone I know in Hong Kong has one, and as a frequent visitor over there I have one in my wallet right now. Well it seems that the card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years, the exposure of which has led to the resignation of their Chief Executive. For all the good work we security people may do in protecting our corporate data from the 'bad guys', it is all for nought if the bad guys are in the boardroom....

Now all this talk of Octopus and pizza has made me hungry! I wonder if Hell Pizza deliver to Australia?

While there are arguments against the effectiveness of PCI-DSS (Payment Card industry Data Security Standards) compliance, it's going nowhere soon.

With that in mind, a recent article caught my eye about how one of the big credit card companies handles it's own Information Security.

Some gems from the Amex response:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack.

This is one I've encountered before where transport-layer security is confused with authentication security. Their website could have 128,000 bit encryption, it won't help them when I guess your password is 123456.

We discourage the use of special characters because hacking softwares can recognize them very easily.

More easily than non-special characters? Wow.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Would that not mean a single character password was even more secure?

Scary. Although a friend did comment "Well at least they have a password policy!"

Last year I commented on the analysis of leaked passwords from hotmail, gmail and yahoo. The results were rather depressing.

The social networking site Rockyou.com was hacked late last year, resulting in the exposure of some 32 million passwords from their own site and from partner social networking sites such as MySpace and facebook. Rockyou's policies of not requiring complex passwords and then storing said passwords in the clear was a ticking time bomb, and should be a lesson to other sites and to end users who may not understand the danger of sharing passwords between sites.

Well an analysis of the passwords revealed in the hack has been completed and the results are unsurprisingly, not dissimilar to the hotmail passwords revealed last year.

The top passwords revealed were:
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

Compared to the previous analysis of hotmail passwords:
1. 123456
2. 123456789
3. alejandra
4. 111111
5. alberto
6. tequiero
7. alejandro
8. 12345678
9. 1234567
10. estrella

And the results of an analysis of other recent password breaches showed a similar pattern with '123456' being incredibly popular....

The complete report is available here (pdf) and is worth a look.

By now it's a safe bet anyone working in the security space has heard about the leaked passwords from hotmail, yahoo and gmail.

The most interesting thing so far to come out of the leak is the results of an analysis of the passwords exposed. The results are an interesting mix and shed some light on how the message about using strong passwords is being received out there in user-land.

The most common password found was '123456' with '12346789' coming in second. It's enough to keep a security guy up at night!

Amazingly 'password' didn't make the top 20 list, but despite the fact the average password length was 8 characters, 42% of all the passwords listed were lower case only and only 36% were what we commonly consider 'strong passwords' (in complexity if not length). This shows the message is not being heard.

Why is this a concern to the security guy in the enterprise? Well the same users are likely to be in the office and these results show that the password message is not getting through. Not to mention employees with good intentions emailing work documents to themselves @hotmail so they can be diligent and work on them at home. That same hotmail address with the '123456' password....

The good news (comparitively!) is that the passwords have not been gathered due to a flaw in the security of these industry heavyweights, but by via phishing attacks against the users themselves.
The problem though is even when users are diligent and more complex passwords are used there is the problem of those same users being suckered in by phishing attacks. Even the head of the FBI was banned from online banking by his wife for almost falling victim to a phishing email.

A senior security engineer for nCircle recently presented at SecTor the results of a survey both technical and non-technical users that showed while 83% of users checked for the magic padlock in the browser when entering their credit card details, a dismal 41% checked for the same padlock when entering a password. Although the displaying the magic padlock can be easily faked.
Unsurprisingly almost 50% of users also clicked through security warnings without paying attention to them. In this we're paying the price for training end users to 'just click ok' through countless exposures to buggy software.

People can't be relied upon to pick strong passwords or read security warnings. Security guru Bruce Schneier has written about this back in 2006 when 100000 myspace accounts were exposed through a phishing attack. That wonderful password '123456' made the top 20 back then too, but the best performer was 'password1'.

Bruce comments that "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security?"

He's completely correct and in fact I'd hazard a guess that they've continued to learn and the most common password these days (where complexity rules are applied) is 'Password1'.

What's the answer? Nothing simple comes to mind, but clearly our education of users isn't working today, we need to do better.

And finally a more humourous look at choosing a password...

I've been reading a few pros and cons recently about password masking. Traditionally it is one of those unquestionable security commandments - "Thou shalt mask passwords", but is it always necessary?

Why do we mask passwords? What's the benefit?
To stop the password being exposed to third parties. The password is a shared secret between the system and the authorized user, so letting others see it in plain text is a no-no. While this is true, are all passwords created equally? The password, or PIN number, you may use on your ATM card in a public place is at much higher risk of being seen by an unauthorised third party than your webmail login or even your network login that you use in the privacy of your office or cubicle.
"But we don't all sit in an office or in a cozy cubicle!" you say, cursing the designer of the open plan office. Very true.
Another benefit may be that users 'feel' more secure that their password is being kept 'secret' by not displaying on the screen. Despite the original purpose being to mask the password from a 'shoulder surfing' colleague, it has come to be something expected by users today, and like the padlock in the corner of the browser is a 'symbol of security'.
The downside is of course, that users cannot see what they're typing, so when they are denied a login they're not sure if they've forgotten their password or are simply mistyping the correct password. There is also the argument that password masking leads to poorer security because users choose 'easier' passwords (ie: less complex ones) so that they reduce the chances of mistyping a complex password. This argument does assume that having the password unmasked would lead to more complex passwords because the chances of mistyping are reduced. Personally I think most poor simple passwords are based on ease of remembering rather than the odds of mistyping.

I noticed recently that Apple had implemented a 'half-way' solution on the iphone (and this may have been around for a while, I'm just stating where I saw it) in that as each character is typed it appears in plaintext briefly before becoming an asterisk. This has the benefit of reducing mistypes (not uncommon with the iphone on screen keyboard!) but also making shoulder surfing a little harder by forcing the 'surfer' to pay attention to each keystroke and never showing the password as a whole. I think this is an interesting solution that has potential for those sorts of passwords that are most likely to be used in a 'private' setting (like your office or home) but not of course for PIN numbers and the like.