ArsTech pwned
- Thread starter Newtun
- Start date
That stinks but there is an interesting discussion in the comments about the hack and what it means to their user database, specifically the passwords. User epixoip did a nice job covering the has/salting mechanism and debunked people's comments about using an implementation of salted and iterated MD5 hashes (PHPass) in their database.
ddrueding
Fixture
[video=youtube_share;8ZtInClXe1Q]http://youtu.be/8ZtInClXe1Q[/video]
I like the video but wish they would have gone a little further in detail on reversing the salted hash when authentication occurs.
Mercutio
Fatwah on Western Digital
You don't reverse the hash. You apply a transform along with a "fudge factor" so there's no constant value in the stored hash.
I get that part. I poorly articulated what I was trying to say. I understand when creating a new password for the first time you take the user-supplied string password and add that with a random salt and then hash that, you get a unique value stored in the database. The next time a person authenticates, they enter their same password...but how does the system know which salt value to retrieve so that it can be added back in with the password to authenticate the proper hash value?
sdbardwick
Storage is cool
| UserID | Salt | SaltedHash |
| sdbardwick | [random digits] | [hashed (password+salt)] |
sdbardwick
Storage is cool
| UserName | plaintext Password | Salt | Salted Hash | Unsalted Hash |
| a | 1234 | ade | 6974841 | 674112 |
| b | 1234 | jed | 5797312 | 674112 |
| c | 1234 | twb | 4797138 | 674112 |
Given that it's in the database with the hash, that seems to only address two or more people that have the same password not showing the same hash value in the database, right? If someone breaks in and harvests the database, they have the salt value to still try and use it to do things like dictionary brute-force.
sdbardwick
Storage is cool
Yup. Everything is vulnerable to brute-force attacks (well, perhaps until we have quantum-cryptography) but having salted hashes makes it much more difficult to obtain many passwords. You have to attack each salted hash with straight-up brute force without the benefits of shortcuts like gigantic arrays of precomputed hashes. Password strength is still very important, but that can be enforced by policy when setting up an account.
timwhit
Hairy Aussie
Salts guard against rainbow table attacks. If I can dump a database or LDAP with a bunch of unsalted hashes, I can compare them all to my trusty rainbow table and retrieve a whole bunch of passwords pretty quickly.
This exact thing happened to Linkedin because they weren't using salts.
This exact thing happened to Linkedin because they weren't using salts.
ddrueding
Fixture
I think the most important lesson in the video is to not store passwords at all if you don't have to. Use one of the other systems that offer it (Google, Facebook, etc). I understand there are privacy issues there, but it seems to be the least evil.
Mercutio
Fatwah on Western Digital
Third party authentication is a mess all its own and to be honest I'm not sure that doesn't just obscure the problems rather than correct them. Not everyone wants to trust Google, Microsoft or Facebook.
Bozo
Storage? I am Storage!
Amen
Mercutio
Fatwah on Western Digital
There have at times been open identification schemes that aren't tied to somebody's walled garden, but of course none of them took off. But the whole point of the internet should not be "Require everyone to make a Facebook account" or even "Require everyone on the internet to use their real name for everything." Passing the buck on the fundamental assumption of programmer/admin incompetence really speaks to how the gentleman in the video regards the capabilities of his peers.
Not to say there aren't good reasons to have federated logins and not to say there isn't some value in having logins with mega-scale internet services, but the concept of identity on the internet is deeper and more important than just a username and a password on a web site.
Not to say there aren't good reasons to have federated logins and not to say there isn't some value in having logins with mega-scale internet services, but the concept of identity on the internet is deeper and more important than just a username and a password on a web site.