| Author |
 Topic  |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
 Posted - 01 July 2011 : 04:22:10
|
I just read this:
http://codahale.com/how-to-safely-store-a-password/
Perhaps this is useful as an update to Snitz?
We do not incorporate any salting, do not enfore a minimum password length or complexity and use stock-SHA algorithms.
This makes our Snitz cookies pretty vulnerable to CUDA attacks.
So, some food for thought.
quote:
How To Safely Store A Password
31 Jan 2010
Use bcrypt
Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt. Use bcrypt.
Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?
These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbish for storing passwords.
A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.
And that's without investing anything.
If you're willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. And that rate you'll be cracking those passwords at the rate of more than one per second.
Salts Will Not Help You
It's important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn't affect how fast an attacker can try a candidate password, given the hash and the salt from your database.
Salt or no, if you're using a general-purpose hash function designed for speed you're well and truly effed.
bcrypt Solves These Problems
How? Basically, it's slow as hell. It uses a variant of the Blowfish encryption algorithm's keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be. Because of this, bcrypt can keep up with Moore's law. As computers get faster you can increase the work factor and the hash will get slower.
How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password yaaa in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a microsecond.
So we're talking about 5 or so orders of magnitude. Instead of cracking a password every 40 seconds, I'd be cracking them every 12 years or so. Your passwords might not need that kind of security and you might need a faster comparison algorithm, but bcrypt allows you to choose your balance of speed and security. Use it.
tl;dr
Use bcrypt.
Updated February 24th, 2011
I've been getting pretty regular emails about this article for the past year, and I figured I'd address some of the concerns here rather than have the same conversations over and over again.
Isn't bcrypt just Blowfish? Where do you store the password?
Please read the Provos & Mazières paper. bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm.
You said salts aren't helpful, but what about rainbow tables? Why would you suggest people not use salts?
As the Provos & Mazières paper describes, bcrypt has salts built-in to prevent rainbow table attacks. So I'm not saying salts are without purpose, I'm saying that they don't prevent dictionary or brute force attacks (which they don't).
Rainbow tables, despite their recent popularity as a subject of blog posts, have not aged gracefully. CUDA/OpenCL implementations of password crackers can leverage the massive amount of parallelism available in GPUs, peaking at billions of candidate passwords a second. You can literally test all lowercase, alphabetic passwords which are #8804;7 characters in less than 2 seconds. And you can now rent the hardware which makes this possible to the tune of less than $3/hour. For about $300/hour, you could crack around 500,000,000,000 candidate passwords a second.
Given this massive shift in the economics of cryptographic attacks, it simply doesn't make sense for anyone to waste terabytes of disk space in the hope that their victim didn't use a salt. It's a lot easier to just crack the passwords. Even a "good" hashing scheme of SHA256(salt + password) is still completely vulnerable these cheap and effective attacks, thus the importance of an adaptive hashing algorithm like bcrypt.
|
portfolio - linkshrinker - oxle - twitter |
|
|
SiSL
Average Member
Turkey
671 Posts |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 01 July 2011 : 08:48:23
|
| Well, I'm not sure if it really increases the serverload in normal use; the SHA algorithm isn't executed on every page load, only when logging on, as the password check just checks the cookie stored hash with the db stored hash. |
portfolio - linkshrinker - oxle - twitter |
 |
|
|
AnonJr
Moderator
United States
5765 Posts |
Posted - 01 July 2011 : 11:49:50
|
I've been thinking about this a lot myself, and it comes down to a couple things:
1. We should be salting the hash somehow, and maybe even re-hashing it a few times for good measure. I've been pondering if there is a way to do this such that adding it on to an existing install won't require a mass password reset.
2. No matter what encryption method we use, the root issue is the problem of side-jacking the cookie (or at least the information in the cookie). Using bcrypt or any other method won't stop side-jacking, and a salted SHA256 is no more or less safe from brute force if the salt is well chosen and user-selectable (to keep the attacker from downloading the source from here and finding the salt in the code).
3. It doesn't matter how fast the server can calculate a hash if the user doesn't select a quality password - and we can't really force them to. We can put some metrics on passwords that increase the potential security, but the more metrics we put in place, the easier we make it for the hacker to limit the field of possibilities. Right now they'd have to test everything from a one-character password to whatever the max allowable value for the text box.
If we enforce a strict minimum, we narrow the field of possibilities an attacker needs to take and we thus help them in breaking in.
I'd ramble on, but my break is almost over... |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 04 July 2011 : 04:42:44
|
One thing on forehand ; it's not about preventing side-jacking the cookie ; if you have the cookie with the right hash, you're able to exploit that.
However, the most important thing is that we make sure the password the user has chosen is not revealed, as that password is of more value than the forum-session itself.
Usergenerated passwords tell a lot about a user and are often used in multiple places. Yes, I know, that's a bad habit, but this is the way users are.
Keeping 1-8 character passwords safe is however possible.
1 - A mass password reset is inevitable ; just inform your users via mail (or information on the site) and have them use the reset-password feature.
2 - The salt shouldn't be hardcoded ; it should be defined by the administrator from a range of selectable difficult salts (that also garble/obfuscate the password prior to encoding), plus a number 0-100 for the hashing iterations, plus a couple of charactersalts.
Just to explain how this helps, here's what happens with 2 salts and 3 iterations, with the simple password "password".
- run 1, input "password" using default SHA256, no salt: output 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Note: this value will be shown in any rainbow table.
- run 2, input uCase("5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8") using default SHA256, no salt: outcome: "c9d3da531d5f49f7570ae4a5b3c2633aed75a0e55a7803b0cb1d4fb86ea4734e"
This hash may exist in a rainbow table, but it will certainly not match the input string....ergo no match when used to log on.
- run 3, input salt 1 + "c9d3da531d5f49f7570ae4a5b3c2633aed75a0e55a7803b0cb1d4fb86ea4734e" + salt 2, outcome "e2f4feb8629b291c7491c5fbdc6726a0bc5f34d63aa6d3be200670933103135b".
If this last one is in any rainbow table, the end result still will only match the outcome of the previous round prefixed with the first salt and suffixed with the second salt.
As the attacker does not know the number of iterations, nor the two salts, the attacker will not be able to tell the difference between the salts and the actual input for iteration 2....ergo ; the password is safe.
3 Testing ANY password up to 8 characters in a brute force attack just takes minutes on a CUDA environment, as long as the algorithm and the salt method is known.
However, without knowing the salting method (and the salt itself) and the number of hashing iterations, it's not possible to crack anything, unless you bruteforce your way into the forum itself. However, that is limited to let's say 10000 tries per second. If you try to log on that often to the site, IIS will break down most likely....also, with that speed, you will still need years and years and years to actually find out a users password.
However, as a safeguard we could still build in the feature that the number of false passwords is tracked and that the user is locked out when that number reaches for instance 20.
Then there is absolutely no way to brute-force your way in, nor to acquire the password. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 04 July 2011 08:12:05 |
|
|
|
Maxime
Average Member
France
521 Posts |
Posted - 04 July 2011 : 05:40:59
|
I followed your posts for scripting, and hash of the password. You think another mod to change the system hash of the forum and if so, you explain the method to use for our forum members whether to retype the password with the new hashing method.
I'm a security paranoid, I volunteer firefighters, so it is anchored in me.  
Thank you very much for the explanation |
Cordially,
Maxime
Taxation consists in so plucking the goose to get the most out of feathers with the least possible cries.(Jean-Baptiste Colbert)
|
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 04 July 2011 : 09:21:16
|
| Sounds good to me! Not passwords or CC details but I've actually triple hashed some data I needed storing in the db to satisfy my own paranoia Marcel so I know where you are coming from. |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 04 July 2011 : 10:29:50
|
Just a thought about a possible attempt on salting the password.
Let's say we have 3 admin defined salt-strings.
- 1Apples
- Orange!
- MELONS!
Then we have one usergenerated password
- "password"
First iteration: mix the usergenerated password with the 1st salt, character by character.
So "password" + "1Apples" turns into "1pAapspslweosrd"
Hash "1pAapspslweosrd" -> outcome: "9064883f102f16ea93dcfd1afa391891de68c7f4f3e7afd7196718a9a3a6e8a5"
Second iteration: mix the hash with the second and third salt.
"9064883f102f16ea93dcfd1afa391891de68c7f4f3e7afd7196718a9a3a6e8a5" + "Orange!" + "MELONS!" ->
"O9r0a6n4g8e8!3f102f16ea93dcfd1afa391891de68c7f4f3e7afd7196718a9a3MaE6LeO8Na5!"
Third iteration:
Hash the outcome of the previous iteration and store this.
Outcome: "87e08ff6074b26f59889b214fbe9d664aaa664ca3cd603759abc4bdd2ba42c6f"
CUDA or not, you'll *never* be able to get back to the original chosen password "password", unless you know the three salts plus the way they are used and how many iterations are used.
You could alternatively also use the username and member-id as a usergenerated salt, obfuscated by a function, for example uCase(strReverse(memberid&membername&memberid)).
That way the pattern will be even less recognizable, as a different salt pattern is used with every account. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 04 July 2011 10:34:10 |
|
|
|
Etymon
Advanced Member
United States
2383 Posts |
Posted - 05 July 2011 : 02:21:20
|
| Thank you Marcel for bringing this up! |
|
|
|
AnonJr
Moderator
United States
5765 Posts |
Posted - 05 July 2011 : 11:28:28
|
Marcel, we're not exactly arguing anything different, just minor details.
I'm not suggesting a hard-coded value from the source, but I am suggesting that it be a config variable that is not stored in the database or in the app variables. It could be two or three salts configured when the site admin sets up the database connection - that way the only way for a hacker to know the salt is to have access to that particular fourm's code - which is a bigger problem.
If the password is hashed multiple times, maybe we ought to run it through straight the first go round (also gives us a starting point for in-place upgrades without forcing the users to re-set their passwords), and then hash the hash with the first salt, etc. Rinse, Repeat. |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 06 July 2011 : 07:50:00
|
Agreed ; just put the salting code in config.asp, close to the db connection.
That way it's easy to "force" an admin to configure it.
Three salt variables that have to be uncommented and filled by the admin.
Three or more salt+hash code variations of which only one may be uncommented by the admin.
One variable that represents the number of hashing iterations, default commented and set to 3.
In inc_sha256.asp, only the function SHA256(sMessage) would need to be updated to use the selected salts and the selected salt+hashing methods, plus the number of iterations. |
portfolio - linkshrinker - oxle - twitter |
|
|
|
golfmann
Junior Member
United States
450 Posts |
Posted - 27 July 2011 : 16:42:28
|
Will all this change upon HTML5 going widespread?
(I've been reading up on it and it looks, for now.... like it will change the world, again.)
Kind of exciting, really and it won't be long now till it all changes again, I think.
take care and see you on the tablets.. lol |
|
|
|
AnonJr
Moderator
United States
5765 Posts |
Posted - 27 July 2011 : 17:19:11
|
| One has nothing to do with the other. SHA256 hashing is all on the server-side, whereas HTML5 is all about what is sent to the client. At best, HTML5's local storage could influence what is and is not stored in a cookie and/or the session variables. |
|
|
|
golfmann
Junior Member
United States
450 Posts |
Posted - 27 July 2011 : 19:10:35
|
| oh, I obviously didn't know. Thanks... |
|
|
|
AnonJr
Moderator
United States
5765 Posts |
Posted - 28 July 2011 : 11:26:35
|
Not a problem. I wouldn't hold my breath waiting for HTML5 to change the world - so far it's been heavy on promise and light on delivery. It will likely change things greatly, just not in the short-term.  |
|
|
|
golfmann
Junior Member
United States
450 Posts |
Posted - 28 July 2011 : 13:32:16
|
That's what I said about DOS and windows, and You tube, and Facebook and google and....
I'm gonna try and watch this one more closely, I think 
Anyway, thanks for the insights and the rest. |
|
|
| |
Topic |
|
|
|
Replacing SHA256
