What’s in a Password?April 30, 2013 – 5:12 AM
Nearly every week now we can read about a data breach case somewhere, where millions of user accounts and potential other sensitive data has been compromised. Most people are not even shocked by such news anymore, as it is starting to become humdrum.
One of the most common attacks used in such breaches is an SQL injection. This attack has ranked first place on OWASPs Top 10 faults in Web applications for many years. There are several well-known methods to prevent SQL injections, but unfortunately it is still often encountered in productive sites. Furthermore, mis-configured Web servers and vulnerabilities in remote management tools can allow attackers to gain access to systems and read potentially sensitive files.
There has long been a heated discussion about how best to store passwords and that discussion is still ongoing. Most people agree that storing passwords in clear text in a database is not a good idea. Although sadly it is still done in a lot of places, usually with the excuse of “no one has read access to the database, so what could possibly go wrong?” As history has repeatedly shown, this argument does not hold true for long.
As a user, you normally do not know how your passwords are stored on a service. One enlightening trick can be to use the password reset function. Some services will send you an email with your password in clear text, which obviously means that they store it in clear text to begin with. If in doubt, you can send the service an enquiry, but most will probably just assure you that they are using state of the art cryptography to protect your password, which does not tell you much.
But the keyword is correct, as most systems have started to use cryptographical one-way functions; so-called hash functions like MD5 or SHA1 are being used to store passwords. Note that these are not password functions, but rather functions that are normally used for creating message digests. By using them on the password and only storing the hash value, the problem of clear text passwords disappears. Unfortunately, attackers can create “rainbow tables”, with pre-computed pairs of passwords and corresponding hash values. With today’s cloud services, generating rainbow tables does not take too long and the combination values can easily be stored. Such a set up would allow a simple lookup to break all common passwords within seconds.