Recently I was helping a client configure Outlook 2010 to use 4 email addresses I had earlier created. Those email addresses were created using his custom domain on Outlook.com. Instead of logging in and out 4 times to check each account on outlook.com, I told him it would be easier to use Outlook 2010 which came bundled with his PC. Before we started, I had told him to make a note of the password each email account would use because we would be using them in the set-up process. It was at this point he told me that its “OK” because he uses only one password for all of his on-line accounts. Please note that this someone who is using these email addresses as contact points for his business. Also note that business is handling all payment options through PayPal and yes, that PayPal account uses the same password.
After my initial reaction of jaw-dropping shock, I asked him if he was really using this password for his other on-line accounts. He said; “Yes” and he can’t be bothered with remembering different password for different accounts. So his personal emails, his Facebook, his LinkedIn, his hosting account for his domain names, everything – same password. If there is a new on-line service to be signed up for, its the ‘one-for-all’ password he’ll be using. People… dear readers, if you are doing this – you need to stop it. Especially if your accounts are handling money or other sensitive (personal) information. The frequency at which the security of an on-line service’s password database is breached is almost twice every month. Last week it was Ebay, this week it Avast user’s forum, next week… let’s wait and see.
I wonder who amongst my audience remember the “Heartbleed bug” that became public knowledge in early April? I certainly cant forget, ‘sys-admins’ will never forget April 2nd, 2014. For most internet users they may probably remember the emails from their favourite internet service asking them to change their passwords. What I remember was revoking security certificates, waiting for a new one to be issued, invalidating all browser sessions, updating OpenSSL, then applying the new SSL security certificates. The Heart Bleed exploit was really bad for web-security. It took advantage of software that is critical to securing communications on every major of web-servers on the internet. What is worse, is that the Heart Bleed bug was one of the simpler methods of breaching a website’s security – that is publicly known.
Tools of the trade.
Going forward, let me describe a hypothetical scenario in which you sign up for a new on-line service using your old ‘one-for-all’ password. In this scenario we’ll assumed that the entire password database was stolen by attackers. Since it is the entire password database – your user credentials is just one in a collection of millions, nothing special about it. Normally you would think that if this happen there is no immediate danger because passwords are never stored as text. Instead a “hash” of the password is stored. Normally you’d be correct because hashing is a one-way process. However these days hackers have specialized tools to assist them with deciphering a hash:
- Modern GPUs capable of a billions hashing calculations per seconds (Radeon HD7990).
- Specialized software used for quickly parsing through large collection of data (“John the Ripper”, “Orphcrack”, “HashCat”).
- Word lists containing every possible combination of words, letters, number and symbols commonly used in passwords.
- ‘Rainbow-tables’ a large historical collection already deciphered password hashes (imagine 8GB-500GB of plain text!).
OK… continuing. As I had mentioned earlier passwords are stored as hashes. Think of an hash as a one way encryption of your password. So a password of “JDaley1984” is stored as
e9d1e641c562ae4af9c3b9dbfb3600a954977613 or “Princess2020” becomes
5b39fa77739c27d676e15b45835c3c198e06b903. Also this hash value is stored with other identifiable pieces of information such as an email address or whatever info was needed to create the on-line account. So the hacker has a list consisting of millions of hashes along with other info, it is now their task to try and figure what those hashes translate to. See below example***.
Now that the hacker has the entire password database for him(her) to decipher, he has to set his computer iterate over all possible alphabet, number and symbol combination of varying length between 1-256 characters. Then once that string is generated it is then hashed, then that hash is compared to the existing hashes in the password database for a match. If no match is found, then another string is generated, hashed then compared. This process is repeated until a match is found for each hash or all possible generated strings are reached without any match. As you can imagine, this can be a lengthy process – ranging from hours to months. Passwords that are longer than 16 characters and contains random alpha-numeric characters and symbols are harder to crack.
In addition to the above method of using a computer’s processor and GPU to ‘brute-force’ the guessing of a password string, there are more refined methods to getting results. One of these is a word list – a collecting of every possible letter combination, including text-book dictionaries for several languages, religious text and classical literature books. So instead of a computer spending resources on generating words, it can instead create a hash then try to match it from a pre-existing word list. The use of these pre-existing word lists can significantly reduce the time needed to break a password, especially if combining multiple word lists.
The next item in the hacker’s arsenal are rainbow-tables – the real ‘heavy-gun’ when comes to shooting down passwords. It is more efficient than word lists in that, instead of storing characters to be hashed, it stores the hashes of characters and passwords obtained from previous security breaches. So a rainbow-table is a pre-existing store of hash values easily reaching sizes exceeding 1TB,only containing the text data of hashes. So with this rainbow-attack a hacker’s computer is comparing password hash to password hash, making things a lot easier. A password crack that would have normally taken weeks, is now achieved in hours. What is worse it that most rainbow tables have a success rate of 99%. So if you password goes up against it, your password will fall.
Now that I have outlined what happens when a hacker gets a database containing your password. Let me continue by saying that when an attacker targets the on-line service you are using, they are not after your account specifically. Your account and its password will be just one of millions, nothing special. In the above screenshot of what a password database may look like, notice that the first and last entries share the same hash value. This means that both users share the same characters in their password. So if the hacker (or Hashcat) gets the first password correct he now knows all other similar hashes uses that same password. That ought to drive home the fact that an attacker does not have to be targeting your password to get your password, especially if your password uses personal information. So if you used the name and birth-date of your first child. Chances are, somewhere else in the world someone else child shares the same name and birth-date as yours.
So now just because a hacker broke in the database of that new book club you signed up for, he now has access to your email account.
- While browsing through your email account he sees notices from Facebook. The hacker tries the Facebook account using the same password – it works. Access to all your Facebook contacts.
- The hacker then sees a message from your web-hosting provider, mentioning your account name. The hacker tries this new found username with the same password – it works. Access to your domain registration details and your entire website (database & files)
- The access to your email account reveals that you just paid the book club membership using PayPal. Now the hacker knows you use PayPal, the hacker tries the PayPal account using the same password – it works. Access to your PayPal balance, the hacker transfers it or uses the balance to buy Bitcoins.
The amount of damage a hacker can do is only limited by how much of your personal life is connected to on-line services. All of the above could have been prevented by using different passwords for different accounts. You don’t have to remember them all, that’s what password managers like LastPass are for. If a hacker gets access to one of your online accounts, let it stop there. A security breach that was beyond your control, should never extend beyond that website, no need to get your email account involved.
People… please stop using ‘one-for-all’ passwords.
*** In the above examples the MD5 hashing function was used to create the hashes displayed. No company would use that for password hashing. Also similar hashes wouldn’t happen in real-world password hashing because passwords are normally ‘salted’ before hashing. However, it should be noted that Adobe’s password database of 153 million users wasn’t properly salted.
Like the post above? Check out these related posts: