This week professional network LinkedIn and dating site eHarmony were the subjects of an embarrassing hack, exposing their – and their users’ – shortcomings in password security. The hacks show us yet again that we can’t rely on big sites to protect us and ultimately our online security is in our own hands. So what do we do?
The criteria to class a password as ‘strong’ is constantly changing. As new cracking techniques emerge and cybercrims tap into the extra processing power from GPUs, passwords are getting easier and easier to crack.
It’s not reassuring then, to discover that big-name businesses, like LinkedIn and eHarmony, are not storing our passwords as safely as they could be.
The passwords stolen from LinkedIn’s database were stored as hashes encrypted using a cryptographic hash function called SHA-1. This basically uses an algorithm to change the password into a string of characters, for example (one of the actual leaked passwords and hashes) ‘1loveMYson’ becomes ‘872d6b8e5de06c62ecd24db1bc6f0f6a6e35950e2’.
Hashes like this can be simply cracked using the processing power of a normal CPU – our forensics expert cracked 2,000 hashes from the database in just 10 minutes, a time that would be greatly reduced using a GPU or more powerful machine.
SHA-1 is an industry-accepted hash function, but isn’t one of the strongest, as collisions have been found. Our security expert recommends using SHA-512 – the strongest current hash function.
Rubbing the salt in
To increase security when using a weaker hash function such as SHA-1, encryptions should be ‘salted’. Salting a hash adds a random string of characters to a hash to make it more difficult to decipher the code.
Salting a password protects the hash from a cracking tool called rainbow tables. Rainbow tables are precomputed tables used to reverse cryptographic hash functions. By adding random characters (‘salting’) to hashes, each user’s password is hashed uniquely which protects the hashes from cracks using precomputed tables.
One of most concerning revelations of the huge password dump is that the eHarmony passwords were encrypted with a massively outdated and unreliable hash function called MD5. In addition to the concerning weak hash function used, the passwords were also unsalted, meaning that they could be cracked in seconds.
As tests performed last year by our security experts revealed, a six character password can be cracked in 12 seconds by using the extra processing power of a £30 graphics card. This GPU allows crackers to process 158 million possible passwords per second, shattering beliefs that a long password that includes a random combination of symbols, numbers and letters is sufficient to protect sensitive and personal information.
The current top-specification graphics cards, costing £600, make light work of password cracking, processing 10.3 billion passwords per second.
Hacks and password dumps are a regular occurrence in cyberspace and more and more big name companies, and their shoddy storage of our details, are being brought to our attention. What can we do if the people we entrust to protect our data aren’t doing it as well as they should? We protect ourselves!
As we previously mentioned, just having a long password is no longer enough to protect your account should the password database be stolen.
Crackers un-hash encrypted passwords using different criteria, so a password made of lowercase letters would be easy-peasy to crack as it only has one of these criteria – lower case letters. Having a password of upper and lower case, numbers, letters and symbols makes it increasingly difficult to decrypt.
Words that don’t appear in the dictionary or that could be guessed from anything on your social media profiles – yes, that means that your cat’s name or your football team – are unacceptable passwords.
Sentences incorporating these symbols, numbers and different criteria make it simpler for you to remember longer passwords but keep them complicated enough to keep out those pesky crackers. For example: 1<3PriNce$sLeIa or Str*w8err1e$&Cr3am It’s also wise to use a different password for different accounts. That way, if your data is compromised by one site, your data on other sites isn’t necessarily affected. Big companies have no excuse, but what about the small guys?
For smaller companies who may not have the huge technical teams that big companies are blessed with, storing passwords and customer data could be a bit of a nightmare.
There are a few simple tips for SMEs who want to do a better job of storing their data, the first is to always store passwords, usernames and personal data in an encrypted format. Using a hashing algorithm like SHA-512 and salting the passwords is the safest option. Never store important data like this in plain text.
If you are ever in doubt about how to store your data safely it is always a good option to seek advice from a trusted source who can point you in the right direction, just as you would with financial or legal matters.