Monday, December 13 2010
Gawker User Account Database Compromise
Another day, another user account database compromise.
Already there are reports of various accounts with trivial, re-used passwords being exploited to send spam, propagate twitter worms, etc.
It's pretty obvious by now that some users simply won't stop widely re-using using the same password. That security drum has beaten loudly for years, yet with every user account compromise it's the same reaction by so many, including among the technically savvy.
Oh no! The password I use everywhere is now public!
A question I have to ask those who re-use passwords is why did you ever trust Gawker in the first place? Why did you trust every employee and intern of that group to do the right thing? Trust that every backup is treated with the appropriate care and concern, every service patched and monitored? Why did you trust that the site hasn't been compromised all along?
Brute force exposing passwords isn't even necessary when nefarious agents have owned a site. They'll just grab it before it's even hashed.
You shouldn't trust these sites with a shared password. You simply shouldn't.
It's actually a breath of fresh air that Gawker is salting and hashing passwords (albeit with the mediocre DES), so technically they're not the worst, though they're certainly not the best. Yet still, we're assuming that there aren't password siphons logging away cleartext before the password ever makes it to the hash.
I'm not singling out Gawker: You shouldn't trust any site except for those that you must (like your bank). If you're panicking now because your trivial password that you use everywhere is out there, you're doing something wrong because it's entirely possible that it was exploited all along.
Input Type="Password" Needs To Grow Up
While only tangentially related to the Gawker exploit, I would like to take this opportunity to revisit a proposal I made half a decade ago: One Password To Rule Them All. In that proposal I opined that the input type="password" element needs to optionally add (perhaps via a secure="secure" attribute):
- Web-wide common complexity requirements (rather than every site manufacturing their own absurd collection of rules for what is or isn't allowed), because...
- The password is automatically varied with the domain and username, and is hashed and/or cryptographically encrypted on the client (and is appropriately blocked from JavaScript value queries)
- Meaning that you never give up your password to any site. They only get a hash of your password, which they should hash again or encrypt again (preferrably with a runtime secret that provides slightly more obfuscation. If you then blowfished that hash with a runtime prefix that came from a web service and isn't statically stored in your code, that's an additional check on breaking your passwords in the vast majority of real-world cases)
- And phishing is made vastly more difficult.
Ideally this uses a very computationally demanding hash like blowfish over multiple rounds, pushing the envelope of brute force attacks. In my original suggestion I noted that sites should be able to provide variants to avoid replay attacks or eavesdropping vulnerability, though that's an incredibly weak alternative to simply using the proven SSL for that purpose.
What am I missing? Why shouldn't we do this sooner rather than later? Think of this as bringing digest authentication to forms.
Such a scheme improves security in a number of ways, though it only marginally helps in the Gawker scenario (though it does invalidate the simple dictionary attack being performed for the low hanging passwords, each entry could still be brute force evaluated).
Postnotes (2010-12-14)
This entry got a lot of attention, as obviously it's a growing concern. I thought some of the comments deserved responses.
- This will never get adopted because of xyz.
- This isn't a W3C RFC submissions. It's a guy commenting on a blog about the known deficiencies of the password element for the purposes of encouraging discussion. Some of the "it is an imperfect solution therefore it offends my sensibilities" responses are deeply counterproductive. Worse are the "this is so wrong!" comments, speaker desperately looking around for affirmation, with no details.
- You can just brute-force your solution! With an infinite number of cores, quantum-computing...
- I was very vague about the hash/encryption performed, however it is not at all difficult to contrive computationally demanding tactics. You SHA384 the password+username+domain, use that as a key to a blowfish cipher that you use to encrypt a prepared, user-specific 512-byte block, etc. It is not a difficult exercise to contrive a system where it is rationally inconceivable that anyone but the most incredibly resource rich could reasonably brute force compromise your password. Yes, if the NSA really wants to know your twitter password, then sure, they'll probably get it. But for everyone else, it's highly unlikely. It'd be easier for them to just beat it out of you.
- This does nothing for the Gawker attack!
- Aside from the fact that Gawker was using one of the weakest techniques to hash the password, the principal motive of this entry was that you should never have trusted them in the first place! You have no idea what the countless sites you trust your credentials to are doing with your login information, so the repeated outrage when such a leak occurs demonstrates that something is just fundamentally very wrong.
- This doesn't replace SSL
- No. It doesn't. It is not intended to. That completely misses the point.
- Browsers could never change for this. It's too big a change
- This is the one that I find the most remarkable. The web platform landscape has been changing at a blistering pace (many of the innovations like SVG and web workers and canvas having been discussed in detail here), yet securing the password element: Just too difficult. Can't be done.
- Authentication Platforms like OpenID Is Better
- Indeed, for a class of problems they are. They are not exclusive. However in this case I think it's interesting that the password from Gawker is being used to access the Twitter accounts of some people....with that Twitter account being the shared authentication platform used on many other sites.
- But what if the domain changed, subdomains, etc.
- This is intentionally domain specific. Very intentionally.
- But it's a password-equivalent hash
- Aside from the fact that this isn't a replacement for SSL, the intent of this is to avoid any given site (or those who have a database backup or who've installed an interception trojan, etc) knowing what your real password (or password family) is. The intention is avoiding an exploit of one site ever overflowing to other sites, which is exactly why this is a big deal. Otherwise Gawker could have simply reset every single password on the site and sent out password change emails to users and it wouldn't be a concern at all.
And you can't think of any ways to easily exploit this scheme?
Brian @ 12/13/2010 8:39:06 AM
Think. You don't see what's wrong with this?
Rudiger @ 12/13/2010 8:49:12 AM
I don't think that at this point we'd want to automatically make every input[type=password] field do this due to legacy concerns, but it sounds like a nice idea for a new input type. Though that'd require backward compatibility with all the browsers still in use... meaning we'd start seeing javascript fallback implementations, and sites using this new field wouldn't work for users in old browsers with javascript disabled.
It's probably worth the few years of pain now to improve passwords on the web in the future though.
It's probably worth the few years of pain now to improve passwords on the web in the future though.
Ty @ 12/13/2010 8:55:39 AM
The website and username are public information (or easily discoverable if you have enough information to get the hash). So this doesn't really prevent very much.
kats @ 12/13/2010 9:00:59 AM
You need a unique number so that there are no replay attacks.
Usually the cookie or token is given by the server to add some more information, and for that the server needs to know the clear text password
Usually the cookie or token is given by the server to add some more information, and for that the server needs to know the clear text password
Varun @ 12/13/2010 9:02:39 AM
<em>The password is automatically salted with the domain and username</em>
...which is exactly as secure as Gawker.com themselves doing a salt+hash.
Let's for a minute assume what you're proposing is what's being done. Gawker has been attacked. The hacker has the columns "password" and "username". Hacker knows the domain name. You're exactly where you left off!
Even if the password has been again hashed and salted on the server - that's just an extra round of cracking (or, more realistically, rainbow-table matching).
What you _should_ be doing is using a single, trusted and very much secure password provider (a la OpenID). Hacker attacks your site, gains nothing. And if you must do the authentication yourself, or the nature of your userbase prevents you from outsourcing the authentication (perhaps <em>you</em> are the OpenID provider we're talking about earlier), you need to be using something more complex than a silly MDx or even SHAx to do the hash - these are made for boiling down huge amounts of data into a small field of not more than ~256-4096 bytes - which is NOT what you want. Look at bcrypt - it's DESIGNED for this. It's a solution waiting for more and more attacks like Gawker.com so lazy and incompetent developers worldwide will use this existing, plug-and-play, simple, direct, and safe alternative to what they're currently doing.
...which is exactly as secure as Gawker.com themselves doing a salt+hash.
Let's for a minute assume what you're proposing is what's being done. Gawker has been attacked. The hacker has the columns "password" and "username". Hacker knows the domain name. You're exactly where you left off!
Even if the password has been again hashed and salted on the server - that's just an extra round of cracking (or, more realistically, rainbow-table matching).
What you _should_ be doing is using a single, trusted and very much secure password provider (a la OpenID). Hacker attacks your site, gains nothing. And if you must do the authentication yourself, or the nature of your userbase prevents you from outsourcing the authentication (perhaps <em>you</em> are the OpenID provider we're talking about earlier), you need to be using something more complex than a silly MDx or even SHAx to do the hash - these are made for boiling down huge amounts of data into a small field of not more than ~256-4096 bytes - which is NOT what you want. Look at bcrypt - it's DESIGNED for this. It's a solution waiting for more and more attacks like Gawker.com so lazy and incompetent developers worldwide will use this existing, plug-and-play, simple, direct, and safe alternative to what they're currently doing.
Mahmoud Al-Qudsi @ 12/13/2010 9:02:41 AM
<em>The password is automatically salted with the domain and username</em>
...which is exactly as secure as Gawker.com themselves doing a salt+hash.
Let's for a minute assume what you're proposing is what's being done. Gawker has been attacked. The hacker has the columns "password" and "username". Hacker knows the domain name. You're exactly where you left off!
Even if the password has been again hashed and salted on the server - that's just an extra round of cracking (or, more realistically, rainbow-table matching).
What you _should_ be doing is using a single, trusted and very much secure password provider (a la OpenID). Hacker attacks your site, gains nothing. And if you must do the authentication yourself, or the nature of your userbase prevents you from outsourcing the authentication (perhaps <em>you</em> are the OpenID provider we're talking about earlier), you need to be using something more complex than a silly MDx or even SHAx to do the hash - these are made for boiling down huge amounts of data into a small field of not more than ~256-4096 bytes - which is NOT what you want. Look at bcrypt - it's DESIGNED for this. It's a solution waiting for more and more attacks like Gawker.com so lazy and incompetent developers worldwide will use this existing, plug-and-play, simple, direct, and safe alternative to what they're currently doing.
...which is exactly as secure as Gawker.com themselves doing a salt+hash.
Let's for a minute assume what you're proposing is what's being done. Gawker has been attacked. The hacker has the columns "password" and "username". Hacker knows the domain name. You're exactly where you left off!
Even if the password has been again hashed and salted on the server - that's just an extra round of cracking (or, more realistically, rainbow-table matching).
What you _should_ be doing is using a single, trusted and very much secure password provider (a la OpenID). Hacker attacks your site, gains nothing. And if you must do the authentication yourself, or the nature of your userbase prevents you from outsourcing the authentication (perhaps <em>you</em> are the OpenID provider we're talking about earlier), you need to be using something more complex than a silly MDx or even SHAx to do the hash - these are made for boiling down huge amounts of data into a small field of not more than ~256-4096 bytes - which is NOT what you want. Look at bcrypt - it's DESIGNED for this. It's a solution waiting for more and more attacks like Gawker.com so lazy and incompetent developers worldwide will use this existing, plug-and-play, simple, direct, and safe alternative to what they're currently doing.
Mahmoud Al-Qudsi @ 12/13/2010 9:02:47 AM
You need a unique number so that there are no replay attacks.
Usually the cookie or token is given by the server to add some more information, and for that the server needs to know the clear text password
Usually the cookie or token is given by the server to add some more information, and for that the server needs to know the clear text password
Varun @ 12/13/2010 9:04:30 AM
"Web-wide common complexity requirements (rather than every site manufacturing their own absurd collection of rules), because..."
Would you suggest a tiered system (e.g. an attribute?): "simple", "advanced", "supersecure". Or, would you want one level of security? If you limit the possible strengths then you will ultimately limit security, not a good thing.
Also, those "absurd" collections of rules are the fault of the developers or business not understanding security.
"The password is automatically salted with the domain and username, and is hashed on the client (and is appropriately blocked from JavaScript value queries)"
I'll agree to a point, especially using the $username as a salt. This will force unique rainbow tables to be created (or at least comparisons) for each user.
Sure, go ahead and hash the data on the client, but how do you expect to transfer the data? Over a secure channel? Or do you expect each website to make an API for browsers to securely send the password to?
"Meaning that you never give up your password to any site. They only get a hash of your password which they can, if they'd like, hash again"
Hashing a hash limits the possible character set to 16 possible characters, and it sets a known character length. Thus, the domain will be less (and "easy" to create rainbow tables).
Also, what hash will be used? Will the hash(es) need to be a few set hashes? Will you support HMAC? What if a website (paypal) wants to use a super secure hash or greatly increase the complexity of input?
"And phishing is made vastly more difficult."
How? Phishing is just stealing data, it's not always computing with the data. The best way to eliminate phishing is with global secure channels. (HTTPS)
Btw, why doesn't your form submit without javascript?
Would you suggest a tiered system (e.g. an attribute?): "simple", "advanced", "supersecure". Or, would you want one level of security? If you limit the possible strengths then you will ultimately limit security, not a good thing.
Also, those "absurd" collections of rules are the fault of the developers or business not understanding security.
"The password is automatically salted with the domain and username, and is hashed on the client (and is appropriately blocked from JavaScript value queries)"
I'll agree to a point, especially using the $username as a salt. This will force unique rainbow tables to be created (or at least comparisons) for each user.
Sure, go ahead and hash the data on the client, but how do you expect to transfer the data? Over a secure channel? Or do you expect each website to make an API for browsers to securely send the password to?
"Meaning that you never give up your password to any site. They only get a hash of your password which they can, if they'd like, hash again"
Hashing a hash limits the possible character set to 16 possible characters, and it sets a known character length. Thus, the domain will be less (and "easy" to create rainbow tables).
Also, what hash will be used? Will the hash(es) need to be a few set hashes? Will you support HMAC? What if a website (paypal) wants to use a super secure hash or greatly increase the complexity of input?
"And phishing is made vastly more difficult."
How? Phishing is just stealing data, it's not always computing with the data. The best way to eliminate phishing is with global secure channels. (HTTPS)
Btw, why doesn't your form submit without javascript?
Adam Shannon @ 12/13/2010 9:06:26 AM
Your suggestion is flawed start to finish, nothing of that will improve security, in fact will make the issue worst.
Cristian Rodriguez @ 12/13/2010 9:10:04 AM
Client side hashing of the password seems like a good idea to me, and I cant see any draw backs.
James Westgate @ 12/13/2010 9:12:13 AM
I hate it when people ask a question to make a statement. What's wrong with this scheme is that if you use the same password everywhere, a compromise in one place leads to a compromise everywhere. Also, salting the password (as you describe above), (from a security perspective), is no stronger than the original password. The resulting hash is in fact a password and has to be protected in transit and in storage just like a password.
The moment you get into strong protective mechanisms, you create a nightmare for the user to synchronize the strong mechanism between their portable devices and their desktop. For example, a strong authentication system would have the website send a random value in a hidden field. The browser would have shared a password the user doesn't even know (the user's password unlocks the storage for the website password). Then the browser encrypts that random value and sends it back to the website. Such a system would be very strong (a compromise of "passwords" on one website would net _nothing_ of value for attacking a different website).
On the one hand, weak security like user managed passwords lead to the same password being used everywhere and the problems of one compromise leading to severe problems. On the other hand, strong authentication systems make it _really_ hard for unsophisticated users to keep things synchronized between all of their devices.
Also, in strong systems, the point of attack moves from the website password storage to the user's password storage. If strong authentication systems become widespread, then crackers will simply write malware to get access to the user's password storage (which they are already doing).
So, if I have a point to make, it would be that there are no magic solutions and that no matter what solution comes out, the user's have to become sophisticated enough to understand what's at risk and how to best protect themselves.
The moment you get into strong protective mechanisms, you create a nightmare for the user to synchronize the strong mechanism between their portable devices and their desktop. For example, a strong authentication system would have the website send a random value in a hidden field. The browser would have shared a password the user doesn't even know (the user's password unlocks the storage for the website password). Then the browser encrypts that random value and sends it back to the website. Such a system would be very strong (a compromise of "passwords" on one website would net _nothing_ of value for attacking a different website).
On the one hand, weak security like user managed passwords lead to the same password being used everywhere and the problems of one compromise leading to severe problems. On the other hand, strong authentication systems make it _really_ hard for unsophisticated users to keep things synchronized between all of their devices.
Also, in strong systems, the point of attack moves from the website password storage to the user's password storage. If strong authentication systems become widespread, then crackers will simply write malware to get access to the user's password storage (which they are already doing).
So, if I have a point to make, it would be that there are no magic solutions and that no matter what solution comes out, the user's have to become sophisticated enough to understand what's at risk and how to best protect themselves.
Gustavo @ 12/13/2010 9:17:43 AM
"How do you expect to transfer the data? Over a secure channel?"
Yes, it's called HTTPS for a reason.
"The best way to eliminate phishing is with global secure channels."
This isn't easy to solve with technology. The main reason is that users don't know enough to check their URL bar and can't be expected to know exactly what kinds of URLs are suspicious. The whole extended cert thing is nice, but not perfect considering how many valid sites don't use it. Salting with the domain name will ensure that a phisher at "www.bankofamerica.evil.com" gets something totally unusable on any other site.
"Hashing a hash limits the possible character set to 16 possible characters, and it sets a known character length."
Also not important. The main issue here is bit length. If there is 128 bits in the final hash, that's 128 bits of security, unless something else is known. If I know that the password hash sent by the client is exactly 256 bits, that is the same security as knowing that the password hash is any value from 1-255 bits randomly. Considering the strength of the original password the was probably on the order of 18 bits (http://en.wikipedia.org/wiki/Password_strength) this is damn secure.
OK, so enough problems with other commenters: I think this is a decent idea. Of course it's vulnerable to brute force attack. I don't know any password storage scheme that isn't. If an attacker gets your plaintext password, then they know your username and the domain, and can go to town. At least they need to calculate the entire brute force attack again for each user. But then again, they shouldn't get your plaintext password.
Also, this is not necessarily something that requires participation by any third party to implement. Someone could make a chrome/firefox addon that does this. Then anyone who wants this could start using it, and if it turns out to work well then the big boys could try it.
Yes, it's called HTTPS for a reason.
"The best way to eliminate phishing is with global secure channels."
This isn't easy to solve with technology. The main reason is that users don't know enough to check their URL bar and can't be expected to know exactly what kinds of URLs are suspicious. The whole extended cert thing is nice, but not perfect considering how many valid sites don't use it. Salting with the domain name will ensure that a phisher at "www.bankofamerica.evil.com" gets something totally unusable on any other site.
"Hashing a hash limits the possible character set to 16 possible characters, and it sets a known character length."
Also not important. The main issue here is bit length. If there is 128 bits in the final hash, that's 128 bits of security, unless something else is known. If I know that the password hash sent by the client is exactly 256 bits, that is the same security as knowing that the password hash is any value from 1-255 bits randomly. Considering the strength of the original password the was probably on the order of 18 bits (http://en.wikipedia.org/wiki/Password_strength) this is damn secure.
OK, so enough problems with other commenters: I think this is a decent idea. Of course it's vulnerable to brute force attack. I don't know any password storage scheme that isn't. If an attacker gets your plaintext password, then they know your username and the domain, and can go to town. At least they need to calculate the entire brute force attack again for each user. But then again, they shouldn't get your plaintext password.
Also, this is not necessarily something that requires participation by any third party to implement. Someone could make a chrome/firefox addon that does this. Then anyone who wants this could start using it, and if it turns out to work well then the big boys could try it.
Alex O @ 12/13/2010 9:43:44 AM
This is already available for all the major browsers, in the form of an extension. I've been using this implementation of it for several years now: http://wijjo.com/Category/Passwordhasher
I've always wondered whether there were any security implications with this that i hadn't thought of (i've spent a lot of time trying to think of weaknesses to this approach), so i was excited to see it discussed here, hoping that maybe someone would be able to shine light on whether there are in fact any flaws with it. i'm disappointed to see that so far the response has largely been to simply call it stupid, without really discussing it.
i continue to hope that we'll get some back and forth on its pros and cons.
I've always wondered whether there were any security implications with this that i hadn't thought of (i've spent a lot of time trying to think of weaknesses to this approach), so i was excited to see it discussed here, hoping that maybe someone would be able to shine light on whether there are in fact any flaws with it. i'm disappointed to see that so far the response has largely been to simply call it stupid, without really discussing it.
i continue to hope that we'll get some back and forth on its pros and cons.
joh6nn @ 12/13/2010 11:55:29 AM
Umm... yeah... This was all solved ten years ago. You're not supposed to use input type=password, authentication was built into HTTP long ago and it supports well designed client side password hashing as well. (This has the advantage of telling proxies and such that the session is authenticated.)
Problems are that web sites won't use it, mainly because designers doesn't think its cool enough. Plus clients never added a logout button which is somewhat problematic.
Problems are that web sites won't use it, mainly because designers doesn't think its cool enough. Plus clients never added a logout button which is somewhat problematic.
Jonas B. @ 12/13/2010 2:37:29 PM
There is a Stanford research project that hashes passwords with domain names as you suggest: http://crypto.stanford.edu/PwdHash/
Joachim @ 12/13/2010 5:06:56 PM
"And phishing is made vastly more difficult."
I'd be interested in hearing how. To my mind, this scheme makes phishing more dangerous: a user could be tricked into entering his/her master password into an insecure form (yes there could be UI hints but evidence shows that people ignore those), and then the phisherman can log into *any* site as that user, not just the one on which the phishing attack was performed. The user has been given a false sense of security and this scheme degrades to the worst case of password sharing.
I'd be interested in hearing how. To my mind, this scheme makes phishing more dangerous: a user could be tricked into entering his/her master password into an insecure form (yes there could be UI hints but evidence shows that people ignore those), and then the phisherman can log into *any* site as that user, not just the one on which the phishing attack was performed. The user has been given a false sense of security and this scheme degrades to the worst case of password sharing.
Malcolm Scott @ 12/15/2010 6:25:43 PM
Hi there Malcolm.
The "one password" thing is still not ideal -- every site should have a completely unique password -- but instead is just a tip of the hat towards the reality that too many people do reuse passwords, best practices be damned. The Gawker exploit would be a complete non story otherwise, because who cares whether someone can post comments on Gizmodo in your name?
As to whether users can be fooled by insecure forms, I suppose that's possible but if we just discount that then everything is lost and no security is worth anything. However it would be good if someone tricked you into going to a unicode version of a domain that looked just like a secure site, with an SSL cert signed by one of the far too liberally granted SSL signing companies, that your browser would clearly warn you that you were using an insecure password element. It is not hard to imagine completely unspoofable techniques.
The "one password" thing is still not ideal -- every site should have a completely unique password -- but instead is just a tip of the hat towards the reality that too many people do reuse passwords, best practices be damned. The Gawker exploit would be a complete non story otherwise, because who cares whether someone can post comments on Gizmodo in your name?
As to whether users can be fooled by insecure forms, I suppose that's possible but if we just discount that then everything is lost and no security is worth anything. However it would be good if someone tricked you into going to a unicode version of a domain that looked just like a secure site, with an SSL cert signed by one of the far too liberally granted SSL signing companies, that your browser would clearly warn you that you were using an insecure password element. It is not hard to imagine completely unspoofable techniques.
Dennis Forbes @ 12/16/2010 8:50:53 AM
Name *:
Email Address:
(your email address is not displayed)
Website:
Comment *:
Email Address:
(your email address is not displayed)
Website:
Comment *:
About the Author
Dennis Forbes is a Toronto-based software architect. While focused primarily on the .NET and SQL Server worlds, Dennis frequently ventures outside of this comfort zone into game development and image processing. He has been published in several industry magazines, has been quoted in the Wall Street Journal and has been interviewed by NPR.He is a vice president and lead software architect at an innovative New York City hedge fund back-office services firm.
Dennis has been working on solutions for the financial, telecommunications, and power generation markets for over 15 years.
Jan 03 - What About Android Deactivations?
Nov 10 - Flash (SWF) Is Dead
Oct 25 - Tenom And the Intelligent Home
Oct 07 - The Canonization of Steve Jobs
Sep 29 - The Kindle Fire and Android
Sep 26 - You Are The Product. Get Over It.
Sep 25 - The iPhone's Incredible Halo-Effect
Aug 23 - GUIDs In Your Database
Aug 21 - Software Rules The Earth
Aug 15 - Google buys MMI
The Feed Bag
Oct 24 - Parenthood
Aug 29 - Best SSDs For The Money: August 2011
Jul 24 - The Cost of Patent Trolls
Jul 23 - Cinemagraphs
Jul 20 - Netflix Describes the Chaos Monkeys
Jul 19 - Apple Prints Their Own Money
Jul 08 - Good Database-Related Blog
Jun 23 - tewdew software blog
Jun 13 - Windows 8 Horrifies Devs
May 29 - nvidia demos Kal-El
May 13 - The Problem with HTML5 Audio
May 12 - Google's Unsavory Bullying
May 10 - Android 3.1 Platform