Salt and strong passwords | Why is salt good? Assume the attacker gets a copy of the file with login ids and hashed passwords. Attacker wants to recover the clear text of the passwords. But they are hashed and its not possible to decrypt a hashed password. Or is it? A common 40,000 word dictionary of common English words including common proper names and a copy of the SHA-1 hashing algorithm will be all he needs to crack most of the weaker passwords. This will cover the all time favorites like "secret" and "password." The SHA-1 of "secret" is e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4. Matching that exact character string against all the password entries in an unsalted database would find all the ID's with the password "secret." An attacker's dictionary includes forward and reverse spellings of 40,000 English words words, thousands of common words in languages other than English and thousands more common names. Use the SHA-1 hashing algorithm to hash every word in your dictionary. If you have time, go ahead and increase your workload by 10 and append a single digit to each dictionary word. Also capitalize the first letter of each word. You'll end up with a file of a few million unique hashes. Most PC's can compare about 10 million entries per second. Given a little more time the attacker can try more combinations. Match the hashes to the stolen password hashes you found. Many will be the same and you will know the clear text passwords for more than 20% of the IDs in the stolen file. This approach won't get you any further with the other passwords, however if you are persistent you can probably crack a few more by trying more digits and different caps and common two word combinations. If the password file had been salted, the attacker's job becomes much more time consuming. Unique salting means each attack can crack only a single password. When an attacker gets a match he has cracked only one password and the rest of the file remains secure. (As of 2008, security specialists estimate they can harvest 20% of the ::more... |
Using the same passwords | Do you use the same password over and over again? Do you use it at work, on eBay, Amazon, for email, at your bank, and when you find that great deal at "FBN* super store?" Do you know that if you do you are putting your identity at risk and exposing all of your accounts. Have you ever heard of "phishing" attacks where an unsolicited email urges you visit a site. Be suspicious. My browser wans me of a possible scam whenver it detects a link that says one thing and appears to do another. Hover the mouse pointer over the link and it will show you where its really taking you. If it looks fishy, particularly if it doesn't match, don't go there. We encourage use of a sort of multi-tier of secretness. You can use a memorable password over and over for sites where security is not an issue. If they don't collect your credit card or bank information, but just want an email address so they can keep in touch, you can use your soft password. For the sites that collect credit cards, account numbers and stuff like that, I tend to use unique passwords, even if I have to write them down and file them with the account statements (never on a sticky note stuck to your desk or monitor.) *FBN - Fly By Night |