Not two weeks ago, LinkedIn made big data breach news when hackers claimed to have more than 100 million usernames and passwords up for sale.
Fortunately, the data wasn’t new, coming from a breach that happened four years ago.
What was new was the size of the list that was up for sale, nearly 20 times the size of the 6.5 million passwords that were reported to have been stolen back in June 2012.
The LinkedIn breach was made worse by the way the passwords were stored, using unsalted SHA-1 hashes.
What that means is that although LinkedIn didn’t keep your actual password, it didn’t do enough to secure it against a breach.
Not tough enough
LinkedIn simply computed a SHA-1 cryptographic hash of your password and stored the hash instead, so that anyone who chose PASSWORD, for example, would end up with a hash of 112b b791 3047 91dd cf69 2e29 fd5c f149 b35f ea37.
Even though attackers can’t use a mathematical algorithm to go backwards automatically from a hash to its input value, they can go forwards at enormous speed, trying out passwords from a huge list by churning out their hashes one after the other.
Modestly-priced cracking servers (modest for nation-states and cybercriminal gangs, at least) can process hundreds of thousands of millions of SHA-1 calculations per second.
That’s fast enough to try out all possible 10-character upper case passwords in well under an hour.
Also, modern password cracking software doesn’t blindly go from AAAAAAAAAA to ZZZZZZZZZZ, but knows that PASSWORD is more likely than OSTEOPATH, which is in turn more likely than VNNQMVHZJL.
Current best practice is to “stretch” each password before storing it by hashing it repeatedly, typically thousands or tens of thousands of times, so that any sort of try ’em all attack takes correspondingly longer to pull off.
Worse still, hashing raw passwords directly means that as soon as one cracker knows that OSTEOPATH comes out as 075b 3a59 32b4 8df1 13e3 9ba4 df41 954b 2419 e705, he can tell everyone else, so that cracking a password for the second time is as simple as looking it up in a giant list of known hashes.
Current best practice is to generate a random “salt” (so called because it spices up the output) that is combined with the password before you start hashing, so that even identical passwords produce different outputs, and so every salt-plus-password combination has to be cracked independently.
Well, it’s happened again.
This time, the breach is said to come from MySpace, and the number of passwords claimed is an eye-popping 427 million.
Apparently, there are only 360 million users on the list, but some accounts have more than one password listed, for reasons that aren’t explained.
Once again, the passwords allegedly exposed in this breach were simple, unsalted SHA-1 hashes, vulnerable to just the same sort of high-speed try ’em all attack as in the LinkedIn breach of 2012.
According to Leaked Source, lots of passwords have already been cracked, with the top 50 choices so far accounting for more than 6 million passwords, or 1.5% of the total.
Interestingly, password1, abc123 and the entirely-expected 123456 come in second, third and fourth respectively.
Top place is the unusual (but nevertheless easily-cracked) password homelesspa, attached to more than 850,000 accounts that Leaked Source suggests were created by some sort of automated process, presumably orchestrated by a gang of scammers to use for nefarious purposes.
Is it true?
Of course, password breach stories aren’t always all they seem to be.
We recently wrote about a claim that more than 250 million accounts were breached, allegedly belonging to users of services from Mail.ru (Russia’s most popular email provider), Google, Yahoo and Microsoft.
In the end, it looks as though the data in this breach was either so out-of-date as to be useless, or made up in the first place.
But journalists at Motherboard claim to have sent Leaked Source five email addresses of MySpace accounts to which they knew the passwords…
…and to have received the actual passwords back in return, implying that at least some of the leaked data is both genuine and current.
What to do?
- Change your password as soon as you suspect that an account may have been breached, either because the password was stolen from you, or because a hash of the password was stolen from the service provider and could be cracked. The sooner you change it, the shorter the window during which crooks can attack your account.
- Pick proper passwords. Even if a service provider doesn’t salt-hash-and-stretch your passwords properly, a strongly-chosen password will hold out against crackers longer than obvious choices such as dictionary words with digits tacked on the end.
- If you run an online service, store your users’ passwords securely. Your authentication database shouldn’t get breached in the first place, of course, but you should nevertheless make things much harder for crackers in case you do get breached.
- Patch early, patch often. If you’re a user, a patched system is less likely to be infected by malware that steals your passwords as you type them in; if you’re a service provider, a patched system is less likely to be penetrated by hackers looking for internal “trophy data” such as authentication databases.
- Consider using two-factor authentication (2FA) if it’s available. 2FA typically involves a one-time code that you use along with your password when you log in.
2FA codes might be sent to you via SMS, or generated by a dedicated app on your phone, and they’re different every time, so your password alone just isn’t enough to access the account.
Generally speaking, 2FA is a minor hassle to use, but a major obstacle for the crooks, so we recommend it.