Last week, a group of allegedly benign attackers downloaded about 450,000 Yahoo! users’ passwords. (To see if your Yahoo! password was compromised, go to labs.sucuri.net.) This worries me: did Yahoo! store unencrypted passwords on its servers, and they were simply downloaded intact? I sure hope not! Or were the 450,000 password hash keys downloaded, attacked with cracking programs, and the passwords were recovered from the password hash keys?
How sites should handle passwords:
|diagram showing how a hashed password is used by companies to secure user details|
Trustworthy sites will, when you create a password, submit your password to a one-way algorithm to create a “password hash key”, and then discard your password. The site stores this password hash key — not your password. When you next attempt to login to your account, the password that you type on your keyboard is submitted to the one-way algorithm to create a password hash key, and that is compared to your account’s stored password hash key. The beauty of this system is that even if someone steals your password hash key, they still don’t have your password. To recover it from your password hash key, they’ll try three methods:
- The most popular way to obtain the original password from a password hash key is the dictionary attack: common words are tried until the password hash keys match. (This is why you shouldn’t use common words for your password. If you have, it will be discovered within seconds.)
- Next, the crackers will try an attack that exploits known weaknesses in older hashing algorithms. This succeeds only if the site has used a weak hashing algorithm.
- If the first two attacks fail, the cracker next tries a brute force attack. This just tries every character in every position, sequentially, until the password hash keys match. If your password is 3 characters in length, this won’t take long. Each time you increase your password length by just one character, you exponentially increase the time required by the cracker.
After stealing the 450,000 password hash keys, did the crackers then crack all of the password hash keys? Or <shudder> did Yahoo! store the unencrypted passwords on its servers? I find that hard to believe. Maybe Yahoo!’s password hashing algorithm was weak. I don’t know. In any case, this breach isn’t good for Yahoo!’s public relations.
Of the 450,000 compromised passwords, the most popular were:
Don’t use these easily guessed passwords! They’re like leaving your house key under the door mat. And use a different password on each site. That way, if your email password is compromised, it can’t be used to login to your bank account. To manage all of my passwords, I use Keepass. Roboform and LastPass also have plenty of fans.
Update, 21 July: My worst fears confirmed
Apparently all of these passwords remained in clear text and were stored in a Yahoo! SQL database. This is a real no-no. No wonder Yahoo! has replaced its CEO.
I guess that all 450,000 passwords were associated with a Yahoo! voice service. A well-known SQL injection attack “liberated” them.