A story about Password – The Wrong Formula

 Blog  No Responses »
Mar 292013
 

In this article I will first talk about some missconceptions as to what is considered a secure password and then about you can leverage different technologies to help you with all your passwords.

In the past few years there has been a sharp increase in websites being hacked and their users passwords/hashes stolen, in parallel we are using online services for almost everything: to pay for your local pizzeria delivery, your electricity bills, access your bank account, connect to your work email, etc.

The common advice is to use different passwords for each site you register to, but most people don’t. It means that hackers can often reuse credentials they obtained on one website to access another.

One way to counter that issue, would be to use some kind of formula so you remember a different password for each site you have registered to. This *could* be the best solution, as remembering a password formula means you do not have to write it down. The problem with this solution is how secure is your formula? How easily could it be reverse engineered? It may not be possible to do it with knowing only one password, but what about 2? or 3? or more? would a pattern start to emerge?

Let’s take an example of a simple password formula, by taking the first letters of an easy to remember sentence tailored to a given site, google.com in this example:

I Love My dog And I Liked Google since 1997

The password would be: ILMdAILGs1997

Pretty good… You could also add some punctuations and numbers.

But if you use the same formula somewhere else, this time for yahoo.com, the password would just have one letter different: ILMdAILYs1997

If you want to make your password “expire” you could change the year at the end of every year. Or add an increasing number or letter every 90 days…

However, a pattern would still to be easily identifiable if you an attacker gets hold of more than one of your password…

Of course, this means someone would need to get your credentials from different sources, Google and Yahoo in this example. But the point is that with the increasing number of websites we subscribe to, we are also increasing the chances that our credentials get stolen and patterns to be discovered.

The passwords need to be different each time and they need to be as random as possible.

Not writing your password down, being a post it or in a file (encrypted or not) but remembering it sounds like the most secure solution. Until you look a bit deeper at all your different passwords are constructed. If you have a solution to remember truly random and unique passwords then please contact me and if not, then read on…

The best way to use unique, random and strong passwords is to save them into a password safe. A software that acts as a safe for sensitive information by storing it into an encrypted database. All your passwords are then protected by a master key/password.

Password safes are not new, in fact one of the most popular has been around since 2002.

http://passwordsafe.sourceforge.net/

But what is new is how you can achieve the following requirements, so you do not compromise on usability:

- Passwords need to be accessible from all your devices

- Passwords need to be backed up securely

- Passwords need to be easy to reset

This is where Cloud storage can help you.

You can use Password Safe from Sourceforge to create your list of encrypted and secured strong passwords, store that secure database onto a cloud storage service such as Dropbox. Then synchronise that Dropbbox folder where your password safe database is on your different computers. You can even install a version of Password Safe on your mobile devices and connect it to your Dropbox account.You should also make local backups regurlarly.

Doing this allows you to have access to and modify your passwords at all time, everywhere.

You do rely however on how secure the implementation of Password Safe is on the different medium you install it and if someone installs a key logger on your computer then you could loose access to all your passwords!

By using a password safe and cloud storage technology you ensure your safe is backed up (dropbox), that all your devices have access to it so you can easily configure your emails, web site access, web application, etc. and that changing a password is not a pain anymore as you don’t need to remember it!

The only password you need to remember is the master password to your safe which you should not reuse anywhere else.

Distributed Credential Protection

 Blog  No Responses »
Oct 152012
 

RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentials across different systems.

In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server  (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.

This process is given an overview THERE

I think it is a great idea, and it leverage what is called Threshold Cryptography, which is “the art of chopping a secret into little bits”. A few things come to mind though:

- Why only using 2 servers, this could be expanded to use multiple servers. Each with different security settings/OS thus making it harder to compromise

- Why only applying this to passwords, what about documents/files?

- To verify the password is correct, the servers must be communicating at some point to get the XOR password and the Random number used. If that’s the case, then if the BLUE server gets compromised what stops the attacker to miss-use the communication/protocol and leverage the compromised BLUE server to gain information from the RED server, thus removing the need to compromise that server too? I could not get enough information at this time on how RSA verifies the passwords are valid, so I would hope they have thought about that in their design.

- Again, this will not stop the number one issue with password. Human weakness. (post-it, simple passwords, eavesdrop, man in the middle/coffee shop, etc)

It is definitely an interesting technology, which I hope to learn more about soon!

Windows 8 Picture Password, great but…

 Blog  No Responses »
Mar 022012
 

After looking at the new features listed for Windows 8, one in particular caught my attention: The Picture Password Login.
It is a very refreshing approach to authentication!

You are presented with a photo at log in and instead of entering a password, you have to touch the image according to the “allowed” touch sequence you registered your user with. In some respect it is similar to the existing gesture based authentication mechanisms you can find on some smartphones (anyone remember that feature on the Palm V?!), but I think it is taken to the next step.
Microsoft is maybe trying to do to passwords what Apple did to the Walkman.

By providing you with a photo of your choice (i.e.: your own family picture), and a restricted number of gestures (point, draw a line and circle) it is easier to remember a sequence, more natural and more personal. For exemple, you would circle the head of your best friend, touch the feet of your child and stroke your dog…
It is simple, yet secure because there is a very large  number of possible combinations. Or is there?

I can see the appeal but I wonder about the following:
a) Could someone who know about you guess what you are likely to touch on that photo first, second and third, etc
b) It would be visually very easy to remember, for you… and also for anyone looking over your shoulder!

I am therefore not 100% convinced, but it would make hardware keylogers more difficult to design (softwares one should just work as well as now by providing a screenshot with logged gestures). And it could actually improve security over a complex password on a post-it or a very simple “hello” password. However, how would this work in an open office environment where everyone can see your screen?

In any cases, well done Microsoft! as stated at the beginning of this article it is a very refreshing approach to authentication and a bold one!

More information can be found in that article and below is a demonstration video of this feature.

[youtube p48DLz3JG8A]

I used to have one password…

 Blog  No Responses »
Oct 142011
 

I used to have one password. It was the password to my Unix student account and it was in the mid nineties!

Since then, I must have dozens of passwords for work/home computers, websites, files, etc. Having a truly different password each time is almost impossible unless you use some kind of password safe application. Or you could use some kind of clever formula, I do emphasise on the “clever” because if your formula is to generate the same password with a simple variant at the end of it, a hacker who has access to more than one of your password could find out what that formula is quite easily.

Another issue is the username. Most security warnings are related to users having the same password, although it is indeed true, there is also an issue with using the same username everywhere. I would argue it is more important to start with a known username than a known password.

The recent attack against Sony shows that credentials stolen from other companies/websites can be re-used to mount generic brute force attacks. This is echoed in another recent article about the increasing danger of consoles and their online credentials that can sometimes be the same as those used for corporate use, especially with Windows live ID. I would again argue that it isn’t just an issue with consoles as many people when registering to new websites re-use the username they use the most, their work or home username.

There is however the need for a tradeoff between the highest level security of having a random username and password for each of your login, and something you can use without having to think/consult for/every 5 minutes.

I would start with a different password for every login… and to change them from time to time.

GPU Password Cracking

 Blog  No Responses »
Jun 272011
 

Brute force password cracking has been around for a while but in the last few years a new way to use your brand new graphic card has emerged which brings high performance attacks against passwords much cheaper and easier.

This is because the “brain” of those graphical card, The Graphical Processing Unit or GPU, is designed to handle mathematical and repetitive tasks very efficiently.

There is a very good article about this topic on the ERRATA SECURITY blog with some interesting facts:

- Although GPU are now found in most electronic devices (i.e.: phones), dedicated PC cards are obviously better

- Radeon is better than GeForce

- Although you can use more than one GPU, the benefits are not exponential and most people only need 1 or 2 GPU.

- This is because past 8 Characters, a password become near impossible to brute force. It would take too long, regardless of the number of GPU you use!

- Some people actually slow the speed of the computer memory to reduce voltage and thus heat. All that matters is the GPU!

- What you would use a GPU against:

  • Bitcoin hashes match calculation (Bitcoin is a digital currency)
  • WPA Passwords, as you cannot really use Rainbow tables, brute force can be useful! in fact this is true for any “salted’ passwords.
  • Protected documents: ZIP, Office, etc

Some of the software you need if you want to experiment yourself can be found on the Golubev website.

Update 28/06:
It looks like you can even now have external powerful GPU cards for your notebook, and it is a Radeon!
SONY EXTERNAL GPU DOCK