Security Basics mailing list archives
Re: SQL Storing Passwords?
From: Davin Enigl <davinenigl () comcast net>
Date: Tue, 04 Sep 2012 09:58:03 -0700
Alexander is correct in many ways, but there are a few things you must remember (if you are a naturally paranoid computer security officer). #1. Two salts are better than one. A salt stored on the same server as the password is less secure, than two salts: one salt on the password server and one (master salt) on a different corporate server (say, a hardware security module). The corporate salt is added to the password's normal salt and the password is hashed. A double salted hash is now becoming quite common in high security corporations due to all the breaches. It buys more time to change passwords, the reason is attack in my #3, below. #2. Here we also have a problem of which hash to use. All MD-5 hashes (128-bit) have preimaged (and are in a rainbow tables). The next hacker attack was/is continuing on salts. I estimated the large criminal organizations and governments have preimaged all salts up to 64-bits (8 bytes), for MD-5. They would need to go up to 128-bits to be really effective. I do not think they will go further that 64-bits because it's too costly in time, memory, search-time. The new SHA-3 is soon to be standardized -- that should put the attack surface on to SHA-1 and SHA-2, away from MD-5 (because it should be "end-of-life"-ed). There are three solutions: A. Salt with a higher bit length. I recommend 128-bits minimum. You said 40 characters for the key. I usually estimate the entropy at 4-bits per symbol, so 40 x 4 = 160-bits. This means the developer may have used an SHA-1 hash to match the SHA-1 160-bit length. If so, good for you. That should be enough. B. Hash with a longer length hash. Since SHA-1 is the next target, I recommend SHA-256 with a minimum 128-bit salt. This will eventually change to SHA-3 plus 128-bit salt. I do not think adding a longer salt that 128-bits will be needed. 128-bits hides inside 256-bit hashes well enough (see #3 exception below). C. Requiring the hashes go through PBKDF2 iterations set to 10,000 or so, helps a lot. #3. Attack on hashed and salted low entropy passwords: Here is another problem not usually talked about. Usually a weak (low entropy) password can be strengthened by hashing with a salt. That is good and is normally done. You must assume common passwords even if high entropy, are still weak: Crack this EXAMPLE: qw-0p-a5-k1-zx-nM That was easy to crack, yet it's technically high entropy. It's jus the corners of the keyboard with some leet and dashes. English (any language, even Sanskrit) words are only 1.5 entropy, very low, weak, plus there are straight dictionary attacks, leet, dashes, spaces, etc. The problem is there are password lists (100 million most used passwords) that are the first to be rainbow-tabled. And now, they can be extended to their salts with GPU arrays, in rainbow tables with salts up to, say 64 bits. And here is an exception, the lists can go beyond 64, to 128, to 160, to 256 if you have the time and energy (and can guess a little. Poor PRNG were just discovered for SSL/TLS primes.) It's a chosen-plaintext preimage attack with "chosen" salt bit length. Therefore that computational infeasibility comes down from MD-5's 2^128, to 2^128/2. Then adding the Merkle-Damgard weaknesses a poor PRNG and it comes down to maybe 2^48 -- which is cracked by GPU-array eventually. I saw one cracked in 3 days and another in 3 weeks. Feel lucky? So, bottom line: hash, salt, double salt, find the breach quickly and change the passwords. Use *high* entropy passwords TO START WITH. EVEN BETTER: use a pre-authentication password with a static Yubikey for two-factor authentication or a one-time-code Yubikey. Or something similar to a Yubikey, that is time-based. Passwords are on LIFE-SUPPORT and dying fast. No amount of chemotherapy will save them. --Davin Enigl On 09/04/2012 04:38 AM, Alexander Meesters wrote:> Well, now if somebody want to crack them using rainbow tables, then
need to regenerate the rainbow table every time the user changes. This will really slow down the whole process of cracking and might even make the unsub give up the project as a whole. At least it will buy you some time to get users to change the passwords once you detected your breach.
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SQL Storing Passwords? Gautam (Sep 04)
- Re: SQL Storing Passwords? Alexander Meesters (Sep 04)
- Re: SQL Storing Passwords? khushal201301 (Sep 04)
- Re: SQL Storing Passwords? Davin Enigl (Sep 04)
- Re: SQL Storing Passwords? Jeffrey Walton (Sep 04)
- Re: SQL Storing Passwords? Davin Enigl (Sep 05)
- Re: SQL Storing Passwords? Alexander Meesters (Sep 04)