|
The technical press is full of reports about the leak of a hashed password file from LinkedIn. Worse yet, we hear, the hashes weren’t salted. The situation is probably both better and worse than it would appear; in any event, it’s more complicated.
Let’s look at the issue of “salting” first. Salting a password file is a technique that dates back to a classic 1979 paper by Morris and Thompson. Without going into the technical details, it generally helps to protect a large, compromised hashed password file against guessing attacks. It’s often less help against a targeted attack, one where the bad guy wants your password. Furthermore, there are situations where conventional salting simply isn’t possible, notably in authentication protocols where both sides need to know a shared secret—typically, either the password itself or a hashed version of it—and there’s no way for one side to send a userid and the other to reply with the salt before authentication. Neither seems to be the case here, but beware of blanket statements that “passwords should always be salted”.
A second common theme in the uproar is “pick strong passwords”. A strong password isn’t a bad idea per se; however, it’s not humanly possible to pick dozens (at least) strong passwords and never write them down anywhere. More importantly, it is very far from clear that password-guessing attacks are the real problem, as compared with keystroke loggers, phishing sites, and server compromise. Fiorencio et al. argue very convincingly that these other threats are far more important today. In fact, in this particular incident server compromise is a very real worry. Was a server compromised, and hence able to transmit all plaintext passwords as they were entered? That depends on both the LinkedIn architecture and the extent of the compromise. LinkedIn assuredly knows the former, though outsiders don’t; the latter may be a lot harder for anyone to ascertain. I can imagine many possible architectures and failure modes; some would imply risk of plaintext capture, while others would not. I can even come up with architectures where the password file could have been compromised without the username list being exposed. It would be unconventional to do things that way, but it would work.
Speaking about common designs and threat models, though, the odds are high that user names were compromised, too, and that accounts with weak passwords are therefore at risk from a guessing attack. We do not know if there was a deeper compromise that would expose strong passwords; if that happened, the accounts that are at most risk are those that have been active—one to which you’ve logged in—“recently”, i.e., since the penetration. Less active accounts are at risk only from guessing. LinkedIn says they’ve reset a lot of passwords, but password reset and recovery schemes tend to be very weak. That implies you should go through that process very soon, and change your password from whatever it is they’ve set it to.
There’s another ironic point here. Once you log in to a web site, it typically notes that fact in a cookie which will serve as the authenticator for future visits to that site. Using cookies in that way has often been criticized as opening people up to all sorts of attacks, including cross-site scripting and session hijacking. But if you do have a valid login cookie and hence don’t have to reenter your password, you’re safer when visiting a compromised site.
There’s one more point: if you reuse passwords across different sites (and most people do, given the impossibility of following conventional advice), you’re at risk on very many other sites. In fact, password reuse is a far bigger problem than weak passwords.
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
I want to play devils advocate to one of the points you made in this post.
What is theoretically possible for the attacker is not always what is readily practical, and things that are easy to do tend to happen more frequently in the real world.
Once you’ve compromised a system with a password hash file, it is a relatively easy procedure to download that file and then log off. You do have a lot of password cracking work to do, but there are a whole lot of tools out there for doing this kind of cracking, and you can work on it in the comfort of your own home without the risk of being caught.
Certainly if the attacker breached a site’s server infrastructure, he could install a long term tap that would read out cleartext passwords, but this is a much more complicated thing to do. You’d have to figure out how the site’s authentication process worked and install tapping software. You’d run the risk of breaking the sites functionality while getting your tap to work. You’d probably want to set up a server on the Internet on another compromised host to collect the passwords from the tap. You could also store the cleartext passwords locally, but either way you’d have to access that collection point repeatedly in order to get your results back out, each time running the risk that law enforcement might be waiting for you and planning to trace your connection.
Of course it is possible to do all of this, but its much more work, and requires a more sophisticated and persistent attacker. I’ve never seen a toolkit for this operation floating around on the Internet. I am certainly aware of many many tools for cracking hash files. Although my personal knowledge of toolkits is certainly not a scientifically rigorous datapoint, this does lead me to suspect that hash file cracking is a much more common operation in practice.
Given that several large disclosures of consumer website password hash files has occurred over the past couple of years I think this merits inclusion as a principal threat to user credentials, particularly given that we know many of these passwords have been reused on other systems.