Comments on: How To Protect Your Users From Password Theft http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/ Application security testing, analysis, and metrics Thu, 09 Feb 2012 11:59:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Fünf Zeichen sind (manchmal) genug « Erich sieht http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2537 Fünf Zeichen sind (manchmal) genug « Erich sieht Mon, 09 Feb 2009 20:55:31 +0000 http://www.veracode.com/blog/?p=650#comment-2537 [...] (Online-Angriff) oder eben mit dem Hashwert (offline), wenn er ihn kennt. Der Hashwert ist das, was man normalerweise von einem Passwort speichert. Daraus lässt sich das Passwort nicht berechnen, aber man kann umgekehrt den Hashwert eines [...] [...] (Online-Angriff) oder eben mit dem Hashwert (offline), wenn er ihn kennt. Der Hashwert ist das, was man normalerweise von einem Passwort speichert. Daraus lässt sich das Passwort nicht berechnen, aber man kann umgekehrt den Hashwert eines [...]

]]> By: Chris Eng http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2522 Chris Eng Mon, 02 Feb 2009 16:27:16 +0000 http://www.veracode.com/blog/?p=650#comment-2522 @Tejedinne: One SQL injection vulnerability gives you the password for all the users when said passwords are stored in the clear. Yes, in many situations, you could also use a SQL injection vulnerability to overwrite a stored password hash. However, this isn't particularly stealthy and it'll be pretty obvious to the victim when he tries to login and can't. I wasn't suggesting that people use unsalted hashes -- that's why immediately after describing unsalted hashes, I pointed out the rainbow table attack. As for dropping tables or databases, that causes disruption but it doesn't help the attacker. They're usually after the data so it doesn't do them much good to delete it. Information is king. The "CWE/SANS Top 25 Most Dangerous Programming Errors" post was Chris Wysopal's, not mine. I'm sure he'll respond to you when he gets some time. @Tejedinne:

One SQL injection vulnerability gives you the password for all the users when said passwords are stored in the clear.

Yes, in many situations, you could also use a SQL injection vulnerability to overwrite a stored password hash. However, this isn’t particularly stealthy and it’ll be pretty obvious to the victim when he tries to login and can’t. I wasn’t suggesting that people use unsalted hashes — that’s why immediately after describing unsalted hashes, I pointed out the rainbow table attack.

As for dropping tables or databases, that causes disruption but it doesn’t help the attacker. They’re usually after the data so it doesn’t do them much good to delete it. Information is king.

The “CWE/SANS Top 25 Most Dangerous Programming Errors” post was Chris Wysopal’s, not mine. I’m sure he’ll respond to you when he gets some time.

]]> By: Tejeddine Mouelhi http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2519 Tejeddine Mouelhi Mon, 02 Feb 2009 10:11:39 +0000 http://www.veracode.com/blog/?p=650#comment-2519 You wrote 'an attacker just needs to find one SQL Injection vulnerability and he’s got the password for every one of your users.' I am a little bit confused. I thought that 'one SQL injection vulnerability' can update the database to store a one way hashed password. In that case, the solution you propose does not work (except for the one improved with salt). And beyond that I will even say that SQLIA is worse than password theft, you can drop tables/database or even shutdown the server. Am i missing something here ? Kinds regards, P.S. You did not react to my reply on 'CWE/SANS Top 25 Most Dangerous Programming Errors' post You wrote ‘an attacker just needs to find one SQL Injection vulnerability and he’s got the password for every one of your users.’

I am a little bit confused. I thought that ‘one SQL injection vulnerability’ can update the database to store a one way hashed password. In that case, the solution you propose does not work (except for the one improved with salt).
And beyond that I will even say that SQLIA is worse than password theft, you can drop tables/database or even shutdown the server.

Am i missing something here ?

Kinds regards,
P.S. You did not react to my reply on ‘CWE/SANS Top 25 Most Dangerous Programming Errors’ post

]]> By: Chris Eng http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2497 Chris Eng Wed, 28 Jan 2009 21:20:02 +0000 http://www.veracode.com/blog/?p=650#comment-2497 @Klau: Let's assume that the time to recover a password stored as an unsalted SHA-1 is zero (it's not, because the lookup takes a finite amount of time). But it's pretty fast. The reason it's fast is because you've pre-calculated the hashes for all possible inputs. Now let's assume that you're trying to recover a password stored as a salted SHA-1 hash, where the salt is 64 bits. Unless you had some serious computational resources and storage available to you, you probably don't have 2^64 pre-computed rainbow tables (corresponding to each of the 2^64 possible salt values). Since you don't have a rainbow table, you can't simply look up the hash, so your only option is to use brute force. Now you have to calculate the hash for billions of possible passwords until you eventually find the one you're looking for. If we brute force all possible 8-character alphanumeric passwords, you'll have to do that calculation (62^8)/2, or 109 trillion times, on average, before you recover the password. That's what we affectionately refer to as "computationally infeasible." If you throw away the salt, then you can't recover the password. But neither can the authentication routine, which is why you have to store it alongside the password. @Klau:

Let’s assume that the time to recover a password stored as an unsalted SHA-1 is zero (it’s not, because the lookup takes a finite amount of time). But it’s pretty fast. The reason it’s fast is because you’ve pre-calculated the hashes for all possible inputs.

Now let’s assume that you’re trying to recover a password stored as a salted SHA-1 hash, where the salt is 64 bits. Unless you had some serious computational resources and storage available to you, you probably don’t have 2^64 pre-computed rainbow tables (corresponding to each of the 2^64 possible salt values). Since you don’t have a rainbow table, you can’t simply look up the hash, so your only option is to use brute force. Now you have to calculate the hash for billions of possible passwords until you eventually find the one you’re looking for. If we brute force all possible 8-character alphanumeric passwords, you’ll have to do that calculation (62^8)/2, or 109 trillion times, on average, before you recover the password. That’s what we affectionately refer to as “computationally infeasible.”

If you throw away the salt, then you can’t recover the password. But neither can the authentication routine, which is why you have to store it alongside the password.

]]> By: Chris Eng http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2496 Chris Eng Wed, 28 Jan 2009 21:08:34 +0000 http://www.veracode.com/blog/?p=650#comment-2496 @Peter: Ah, I get it now. You're the one actually issuing the CHAP challenge, so you need the plaintext password in order to calculate and verify the hash (or whatever sort of calculation CHAP uses for the verification step, I can't remember). Thanks for the clarification; it's always interesting to hear stories from the field. @Peter:

Ah, I get it now. You’re the one actually issuing the CHAP challenge, so you need the plaintext password in order to calculate and verify the hash (or whatever sort of calculation CHAP uses for the verification step, I can’t remember). Thanks for the clarification; it’s always interesting to hear stories from the field.

]]> By: Peter http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2493 Peter Wed, 28 Jan 2009 17:28:40 +0000 http://www.veracode.com/blog/?p=650#comment-2493 @Chris: The situation I was referring to is if you are writing an authentication backend supporting multiple clients. The clients under your control should absolutely support protocols allowing hashed passwords, as you suggest. If you are required to support a client that only supports CHAP or EAP-MD5, for instance, your backend still has to have access to the plaintext password. I'm not trying to criticize your article - it's very good. I recently was unfortunate enough to have to 'break' a system implemented as you suggest so that it can support legacy protocols, and thought others might appreciate the heads up. In my case, I force the administrator to explicitly enable reversibly encrypted passwords and accept the lowered security (similar to the approach taken by MS IAS.) @Chris:

The situation I was referring to is if you are writing an authentication backend supporting multiple clients. The clients under your control should absolutely support protocols allowing hashed passwords, as you suggest. If you are required to support a client that only supports CHAP or EAP-MD5, for instance, your backend still has to have access to the plaintext password.

I’m not trying to criticize your article – it’s very good. I recently was unfortunate enough to have to ‘break’ a system implemented as you suggest so that it can support legacy protocols, and thought others might appreciate the heads up. In my case, I force the administrator to explicitly enable reversibly encrypted passwords and accept the lowered security (similar to the approach taken by MS IAS.)

]]> By: Klau http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2490 Klau Wed, 28 Jan 2009 11:08:18 +0000 http://www.veracode.com/blog/?p=650#comment-2490 I am a little bit slower, but I still didn't understood a few things from your post: suppose the time to break the MD5/SHA-1 hash is x 1. a) using a salt, can it be cracked using the rainbow tables assuming that you don't know the salt? how much is x now? b) same question, but this time supposing that you have no idea what's the value of the salt I am a little bit slower, but I still didn’t understood a few things from your post:
suppose the time to break the MD5/SHA-1 hash is x

1. a) using a salt, can it be cracked using the rainbow tables assuming that you don’t know the salt? how much is x now?
b) same question, but this time supposing that you have no idea what’s the value of the salt

]]> By: Chris Eng http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2489 Chris Eng Wed, 28 Jan 2009 06:46:43 +0000 http://www.veracode.com/blog/?p=650#comment-2489 @Nate: Thanks. Yes, that point is definitely worth calling out -- I should have emphasized that. I could write an entire post on "don't roll your own" (and you could probably write dozens). ;) @Patrick: I tried to allude to that with the example of md5crypt using 1000 iterations. But I wasn't aware that the practice was called "key stretching." @Nate:

Thanks. Yes, that point is definitely worth calling out — I should have emphasized that. I could write an entire post on “don’t roll your own” (and you could probably write dozens). ;)

@Patrick:

I tried to allude to that with the example of md5crypt using 1000 iterations. But I wasn’t aware that the practice was called “key stretching.”

]]> By: Patrick http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2487 Patrick Tue, 27 Jan 2009 20:27:39 +0000 http://www.veracode.com/blog/?p=650#comment-2487 Don't forget to consider key stretching as an additional countermeasure to salting for weak passwords: http://en.wikipedia.org/wiki/Key_strengthening Don’t forget to consider key stretching as an additional countermeasure to salting for weak passwords: http://en.wikipedia.org/wiki/Key_strengthening

]]> By: Nate http://www.veracode.com/blog/2009/01/how-to-protect-your-users-from-password-theft/comment-page-1/#comment-2485 Nate Tue, 27 Jan 2009 17:33:20 +0000 http://www.veracode.com/blog/?p=650#comment-2485 Good article, but it misses one key point: use an existing implementation of all these functions, don't roll your own. The OpenBSD crypt(3) supports all these features and more (including variable-length hashing to slow an attacker even more). The chance of someone making a mistake when reimplementing this is high, especially someone not familiar with all the security evolution the original went through (8 char limit anyone?) There are even implementations for python and Java: http://www.mindrot.org/projects/py-bcrypt/ http://www.mindrot.org/projects/jBCrypt/ Good article, but it misses one key point: use an existing implementation of all these functions, don’t roll your own. The OpenBSD crypt(3) supports all these features and more (including variable-length hashing to slow an attacker even more). The chance of someone making a mistake when reimplementing this is high, especially someone not familiar with all the security evolution the original went through (8 char limit anyone?)

There are even implementations for python and Java:
http://www.mindrot.org/projects/py-bcrypt/
http://www.mindrot.org/projects/jBCrypt/

]]>