This is a second post about passwords, picking up where Passwords: How Even Your Bank Doesn't Know Your PIN left off. We left off yesterday with the problem that the bad guys can get a whole load of GPUs or FPGAs and hash a huge number of potential passwords. They can then just look and see if they have a match, and if so they have the password. Salt It is not immediately obvious how to protect against this. At least it took a long time before the idea of a salt was invented. I haven't managed to find out who came up with the concept, and even the name doesn't make much sense ("just add salt"). The lookup table approach works because the same password is always hashed to the same hash. A side-effect of this, by the way, is that even without discovering your password, it is possible to work out if you use the same password on different systems. What is done is to add "salt" to the start of the password, a random string of characters is added to the start of a password. The random string has to be generated when the password is stored in the password database, and it has to be stored along with the hash. But, and this is the key insight, the salt does not need to be kept secret. The importance of the salt is that it makes building a complete lookup table completely computationally infeasible. You wouldn't do it this way, but if you added a salt of six decimal digits to the start of each password before encryption, you now have a million different hashes of every password. You now need to have a table a million times as big and it takes a million times as long to calculate it. In the real world, the salt is typically at least as long as the hash, the output of the hash function, usually 256 bits (32 bytes). This is more than the number of particles in the universe, so you are going to have some fundamental problems building that table! Other Weaknesses A general rule of being a bad guy in security is not to attack the cryptography. There are other weaknesses. Social engineering is attacking the people. One famous story I remember, but cannot find online, is a general in the Pentagon during a meeting with a security consultant famous for social engineering (I believe she was called Susan). She had pointed out what I just said, that you don't attack the cryptography, you attack elsewhere. The general pointed out his password was completely unguessable. Susan picked up his business card, dialed the number of his office in LA, and his assistant answered. She said she was an assistant to the person he was visiting in the Pentagon and was with the general, but he'd forgotten his password. Within 30 seconds she had his password. This sort of attack works since we don't expect to be attacked. The general's assistant knew he was at the Pentagon, knew who he was with, and the call probably showed up as coming from the Pentagon. What's to be suspicious of? For more on this topic, see my post Social Engineering . Another big weakness is there may be other ways to get into the system. So-called security questions are an obvious one. Working out my long password by brute force is clearly not going to be feasible. But finding out my mother's maiden name? That may be more than a Google query away, but it is not that hard to find out. The town where I was born? That's not exactly a deep secret. Here's something you might not have thought of if you want to find out people's mother's maiden names (or the name of their first pet, whatever). Set up a juicy website ("secrets of the Hollywood stars" or "daily bargains Amazon doesn't want you to know") and make people register for it. Then get them to put in some security questions in case they forget their password, like...what is your mother's maiden name? Two-Factor Authentication Another way to make passwords more secure is called two-factor authentication. Security is around factors like: Something you know (password, mother's maiden name) Something you have (smartphone, special dongle) Something you are (fingerprint, facial recognition) Normal passwords just use something you know, so just one factor. Using two of these is called two-factor authentication. Using an ATM is two-factor: something you have (your ATM card), and something you know (your PIN). Your PIN, as 4 or 6 digits, is nowhere near secure on its own (you can't use it to log in for online banking, for example). Usually, for two-factor authentication, the password is strengthened by adding the requirement that you have your smartphone and can receive a text message with a special code. On any important system you use, if you can, turn on two-factor authentication. If you are a Cadence employee, you will know that Cadence has switched to two-factor authentication off the Cadence network. You need to use an app on your smartphone to confirm you are trying to log in. In fact, to use the app requires your fingerprint, too, so I believe it is three-factor authentication. Red Flags If you need to reset your password, usually because you have forgotten it, then here are two red flags: The procedure to reset your password should be at least as hard as logging on, otherwise the easiest way to get in for the bad guy is to reset your password. In particular, if you need two-factor authentication to log in, you must require two-factor authentication to change your password too (the bad guy needs not just your mother's maiden name, but also your smartphone). If the system emails you your forgotten password, run away fast. Remember how yesterday's post was titled, pointing out that the bank doesn't even know your PIN? If the system can email you your password, that means they store the passwords in plain text and don't use any of the stuff in this post. If someone steals the password database, they have everyone's passwords. Game over. Read More If you are interested in security, I recommend Bruce Schneier's website Schneier on Security . Nothing much happens in security that doesn't show up on his blog. If you want a monthly summary, he puts it all together in an email called Cryptogram that has been going out since 1998. His latest book is excellent, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧