Monday, August 16, 2010

Fun with passwords

Back in December, a site called RockYou was hacked and the passwords of 30+ million accounts were extracted (apparently by an SQL injection attack ). A file was released containing the passwords, without the related account identifiers (though the full content has been witnessed).  If you wander round the Torrent sites, you should be able to find the password file. Given that it was extracted by hacking, the legality of downloading it and possessing it should be considered in light of whatever jurisdiction you happen to live in or pass through.

Firstly, lets get the "Don't store passwords, store hashes" out of the way. Good policy, but not applicable here. Apparently the site connected to MySpace and similar and needed the passwords for that. OpenId and Twitter authentication are better solutions to that problem in general. Of course Oracle has a similar situation for Database Links requiring passwords. They are stored encrypted (not hashed) because they actually need to use the password to make the connection.

Onto the file itself. The most common passwords have been reported on here. The Washington Post reports that the most common passwords are, well, what you'd expect common passwords to be. That's the reason they are common. Lets face it, a lot of people will sign up to web accounts with no intention of going back to the site, or using it for anything important, and will use a simple throwaway password.

Just because they use a simple password on one site, doesn't mean they use for their banking. In fact I'd expect the ones using the more complex passwords are the ones who re-use the same one for their banks, and given this exposure, are likely to be regretting it.

Some aspects actually appear quite heartening. Out of the 32 million records, there were nearly 8 million unique passwords. So for most people their password uniqueness would be better than a "1 in a million". Sure there were some more common than others. The Premier League was well represented with liverpool, chelsea and arsenal all pretty popular, though manchesterunited was less so, presumably because of the time it takes to type...especially for Man U supporters  [who are known to move their lips while they read :)].

The real problem comes because now those 8 million passwords are much less effective. Consider, running orabf on my handy little netbook (built for low power consumption rather than for CPU intensive tasks) it can chug through 125,000 password attempts a second. That would be around a minute to test all 8 million potential passwords against a username/hash value from DBA_USERS. The word you are looking for is INSIGNIFICANT.

So if I've got your username and hashed password, and it is one of those 8 million, then consider it cracked. Which means you are not only trying to avoid a few dozen 'obvious' passwords, but a list of 8 million including ones with alphanumerics plus special characters.

In theory you can put that list in a dictionary and use Oracle to forbid passwords on the list. But that is going to make it pretty hard for your users to find valid passwords they can remember. ["Frenchtoast...taken...JackDaniels...taken...DamnComputer...taken...DBA_I_know_where_u_live....Bingo!] Then they'll start with passwords that are personal, so won't be on your list. Their car registration number perhaps, or mobile number. Maybe with a suffix or prefix to make it long enough to be valid. While it will be hard for you to lock out, it will actually be easier for anyone who knows them, especially someone they work with.

No comments: