Tag Archives: I.T.

Yahoo!’s password breach implications

Users can learn from this breach, and Yahoo! can, as well.

Last week, a group of allegedly benign attackers downloaded about 450,000 Yahoo! users’ passwords. (To see if your Yahoo! password was compromised, go to labs.sucuri.net.) This worries me: did Yahoo! store unencrypted passwords on its servers, and they were simply downloaded intact? I sure hope not! Or were the 450,000 password hash keys downloaded, attacked with cracking programs, and the passwords were recovered from the password hash keys?

How sites should handle passwords:

Password hashing

diagram showing how a hashed password is used by companies to secure user details
drawing: Pluke

Trustworthy sites will, when you create a password, submit your password to a one-way algorithm to create a “password hash key”, and then discard your password. The site stores this password hash key — not your password. When you next attempt to login to your account, the password that you type on your keyboard is submitted to the one-way algorithm to create a password hash key, and that is compared to your account’s stored password hash key. The beauty of this system is that even if someone steals your password hash key, they still don’t have your password. To recover it from your password hash key, they’ll try three methods:

  1. The most popular way to obtain the original password from a password hash key is the dictionary attack: common words are tried until the password hash keys match. (This is why you shouldn’t use common words for your password. If you have, it will be discovered within seconds.)
  2. Next, the crackers will try an attack that exploits known weaknesses in older hashing algorithms. This succeeds only if the site has used a weak hashing algorithm.
  3. If the first two attacks fail, the cracker next tries a brute force attack. This just tries every character in every position, sequentially, until the password hash keys match. If your password is 3 characters in length, this won’t take long. Each time you increase your password length by just one character, you exponentially increase the time required by the cracker.

After stealing the 450,000 password hash keys, did the crackers then crack all of the password hash keys? Or <shudder> did Yahoo! store the unencrypted passwords on its servers? I find that hard to believe. Maybe Yahoo!’s password hashing algorithm was weak. I don’t know. In any case, this breach isn’t good for Yahoo!’s public relations.

Of the 450,000 compromised passwords, the most popular were:

Rank    Password Occurrences Percent
1    123456 1666 0.38%
2    password 780 0.18%
3    welcome 436 0.10%
4    ninja 333 0.08%
5    abc123 250 0.06%
6    123456789 222 0.05%
7    12345678 208 0.05%
8    sunshine 205 0.05%
9    princess 202 0.05%
10    qwerty 172 0.04%

 

Moral

Don’t use these easily guessed passwords! They’re like leaving your house key under the door mat. And use a different password on each site. That way, if your email password is compromised, it can’t be used to login to your bank account. To manage all of my passwords, I use Keepass. Roboform and LastPass also have plenty of fans.

Update, 21 July: My worst fears confirmed
Apparently all of these passwords remained in clear text and were stored in a Yahoo! SQL database. This is a real no-no. No wonder Yahoo! has replaced its CEO.

I guess that all 450,000 passwords were associated with a Yahoo! voice service. A well-known SQL injection attack “liberated” them.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Learn about the Internet’s infrastructure

An FC/PC fiber-optic connector
photo: Srleffler
Author of new book, Tubes, interviewed.

The Internet knits today’s society together, yet most of us aren’t familiar with exactly what comprises “The Cloud”. Last month, NPR’s Terry Gross interviewed Andrew Blum, the author of a new book, Tubes, A Journey to the Center of the Internet. The book explores the hardware infrastructure that instantly transports data across the globe. Ms. Gross asks the questions that any layperson would ask, and the author replies with amusing stories of his adventures inside the Internet’s data centers, points of presence, repeater huts, and cross-connect centers.

I found Mr. Blum’s descriptions to be easy to understand. I’ve worked inside similar facilities and don’t think that I could describe their components so clearly.

Much of the Internet is built atop older telephone and telegraph infrastructure. (Likewise, American highways are built atop the trails that were blazed by Indians a thousand years ago.) Fiberoptic cable often shares the conduit, cable trays, and trenches where 100-year old lead-sheathed oil-impregnated paper-insulated copper cable still resides.

Click here to read the brief article and/or listen to the 25 minute interview.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695