ArsTech pwned

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
That stinks but there is an interesting discussion in the comments about the hack and what it means to their user database, specifically the passwords. User epixoip did a nice job covering the has/salting mechanism and debunked people's comments about using an implementation of salted and iterated MD5 hashes (PHPass) in their database.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
[video=youtube_share;8ZtInClXe1Q]http://youtu.be/8ZtInClXe1Q[/video]

I like the video but wish they would have gone a little further in detail on reversing the salted hash when authentication occurs.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
You don't reverse the hash. You apply a transform along with a "fudge factor" so there's no constant value in the stored hash.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
I get that part. I poorly articulated what I was trying to say. I understand when creating a new password for the first time you take the user-supplied string password and add that with a random salt and then hash that, you get a unique value stored in the database. The next time a person authenticates, they enter their same password...but how does the system know which salt value to retrieve so that it can be added back in with the password to authenticate the proper hash value?
 

sdbardwick

Storage is cool
Joined
Mar 12, 2004
Messages
598
Location
North San Diego County
UserIDSaltSaltedHash
sdbardwick[random digits][hashed (password+salt)]
Salt is stored in database and associated with username, so it will add the proper salt to the entered password before hashing the concatenated password and salt. Salt can even be plaintext.
 

sdbardwick

Storage is cool
Joined
Mar 12, 2004
Messages
598
Location
North San Diego County
UserNameplaintext PasswordSaltSalted HashUnsalted Hash
a1234ade6974841674112
b1234jed5797312674112
c1234twb4797138674112
Totally made up for purposes of illustration
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
Given that it's in the database with the hash, that seems to only address two or more people that have the same password not showing the same hash value in the database, right? If someone breaks in and harvests the database, they have the salt value to still try and use it to do things like dictionary brute-force.
 

sdbardwick

Storage is cool
Joined
Mar 12, 2004
Messages
598
Location
North San Diego County
Given that it's in the database with the hash, that seems to only address two or more people that have the same password not showing the same hash value in the database, right? If someone breaks in and harvests the database, they have the salt value to still try and use it to do things like dictionary brute-force.
Yup. Everything is vulnerable to brute-force attacks (well, perhaps until we have quantum-cryptography) but having salted hashes makes it much more difficult to obtain many passwords. You have to attack each salted hash with straight-up brute force without the benefits of shortcuts like gigantic arrays of precomputed hashes. Password strength is still very important, but that can be enforced by policy when setting up an account.
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
Salts guard against rainbow table attacks. If I can dump a database or LDAP with a bunch of unsalted hashes, I can compare them all to my trusty rainbow table and retrieve a whole bunch of passwords pretty quickly.

This exact thing happened to Linkedin because they weren't using salts.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,511
Location
Horsens, Denmark
I think the most important lesson in the video is to not store passwords at all if you don't have to. Use one of the other systems that offer it (Google, Facebook, etc). I understand there are privacy issues there, but it seems to be the least evil.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
Third party authentication is a mess all its own and to be honest I'm not sure that doesn't just obscure the problems rather than correct them. Not everyone wants to trust Google, Microsoft or Facebook.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
There have at times been open identification schemes that aren't tied to somebody's walled garden, but of course none of them took off. But the whole point of the internet should not be "Require everyone to make a Facebook account" or even "Require everyone on the internet to use their real name for everything." Passing the buck on the fundamental assumption of programmer/admin incompetence really speaks to how the gentleman in the video regards the capabilities of his peers.
Not to say there aren't good reasons to have federated logins and not to say there isn't some value in having logins with mega-scale internet services, but the concept of identity on the internet is deeper and more important than just a username and a password on a web site.
 
Top