Everything You Always Wanted to Know About Passwords

Oran Cohen

March 13, 2020

Do You Have Impressive Credentials?

Until quite recently, connecting to a website or online service meant simply typing in a username and password. In the early days, one could even get away with using the same password across multiple sites and services fairly safely.

But as the ugly head of cybercrime rears its unwelcome visage, and more and more user databases are leaked and become compromised, the concept of a static username and password login couplet is no longer viable from a security point of view.

The Yahoo hacks made big news and hit this point home beautifully. Let’s consider an average internet user named Bob. His Yahoo account username is [email protected] and his password was the word ‘password’ until he changed it to the slightly more complex password of William2012 (the easy-to-remember combination of his son’s name and birth year). Bob uses these credentials to access his Yahoo mail account and has adopted them as his default. Hence his Amazon, eBay, Paypal, Netflix, Dropbox, Twitter, and Facebook accounts can all be accessed with this same duet. Life for Bob is easy. He need only remember a single username and password for all his web services. In Bob’s case, however, his bliss is certainly borne of ignorance! Yahoo was hacked not once but twice and these hacks could have far-reaching consequences for Bob.

An Introduction to Passwords

In order to understand the gravity of Bob’s situation, let’s take a brief, and I mean brief, foray into the world of password cryptography. Most sites, Yahoo included, don’t store their passwords as regular text. They encrypt them using a special formula that jumbles them up into what’s called a hash. There are a number of commonly used encryption formulae out there and each will hash Bob’s password differently. Yahoo used an outdated method called MD5 – compare it to hashes produced by later methods in the table below:

Bob’s PasswordMD5 (32 chars)SHA-1 (40 chars)SHA-2 (256) (64 chars)
William2012023a2ed6ab808664
29885ed5330c731d
89aa55633cbe523f42f1
8bb715de34d5fad81f34
440ff79c8f9a07ef4748d95603c97add
7b336d89c193386948c968153ee9f777

Outdated you say? 32 characters look pretty strong, right? Wrong. MD5 is no longer recommended for use because today it can easily be decrypted using a dictionary table. Hackers spend days running words and character strings through encryption software to create huge lists, or dictionary tables, of standard passwords. A dictionary table can, therefore, be used to DEcrypt passwords because it has been used to ENcrypt them. MD5 is a poor hashing method since it works fast which allows the hackers to create their tables quicker. And given more time they can add more complex passwords to their tables such as those with lowercase and uppercase combinations, those with numbers or symbols substituted for letters, those with a mix of lowercase, uppercase letters and numbers – such as Bob’s, for example.

So now, our hacker has a table that includes Bob’s password in one column and MD5 hash of Bob’s password in the other. That hacker can now try Bob’s username and password combination on a myriad of popular websites including all those that Bob has used the same credentials for. So in effect, by ‘decrypting’ Bob’s password, the hackers have struck the jackpot since they now have access to many of Bob’s accounts, including those that can be monetized such as Paypal, Amazon, Netflix.

It is interesting to note that even a long (strong) password could eventually be compromised in this case which is why a good password can only be a good password if used only once.

So what’s our next move?

Well, the news is not all bad. A number of options may be employed to strengthen credentials. Today’s recommended encryptions often append random characters to the password prior to hashing. This has the effect of making the user’s password longer and more complex, and less difficult to compromise, without troubling the user to memorize it that way. Some sites will go even further and re-hash the hashes… several thousand times in some cases. These are called iterations and make dictionary attacks even more difficult to carry off. For example, any 6-character password can be decrypted in under 15 minutes using a simple computer. If 1,000 iterations are performed, that same 6-character password would take up to 12 days to crack. If 20,000 iterations are used, you’re looking at up to 8 months. And remember, today no one recommends using a password of fewer than 8 characters. Each additional character increases the possible combinations and then the numbers really start to get hacker-boggling.

Password Managers

With all this firmly in mind, it’s clear why Bob is at risk using a single password for all his sites. Many users utilize online password managers such as Lastpass or Dashlane meaning they never need to remember any password except the one for their password manager of course. Some of these are free and fit seamlessly into your internet browser to automatically populate username and password fields when you visit sites for which you have saved credentials.

Two Factor Authentication

The problem that still remains with passwords is that they are static and unchanging. With compute power constantly increasing and big hacks taking months to perpetrate on the down low, sites, and services that use legacy technology may be living on borrowed time. But there is a light at the end of the tunnel and many of us carry it around in our pockets already. It’s called two-factor authentication and it’s supported by many leading sites and online services (see turnon2fa.com for a near-complete and ever-increasing list). It adds an additional layer to your security by requiring the entry of a “one-time password” (OTP) on each entry. This can be in the form of an SMS to your cellphone or a 6 digit code generated via an app on your cellphone. In the case of the latter, the code changes every 30 seconds meaning an attacker would need your password AND the correct time-specific code right now to access your accounts. Turning on two-factor authentication has the effect of severely limiting a hacker’s window of attack. Now the odds are stacked back in YOUR favor.

For more information on how our offensive services can help protect your organization from attacks, please contact Shay Pinsker at [email protected], or visit our website.