Because salting ensures that each stored hash is unique even if two users choose the same passcode, each hash in a compromised table must be cracked separately, even if they mask one or more identical plaintext passwords. The fact that the hashes were unsalted-meaning the plaintext passwords weren't combined with a value that was unique for each account-makes the cracking process go much quicker and require less computation. But as computers have grown increasingly powerful, the same qualities make MD5 a liability. In years past, those were good attributes that gave a performance boost to inexpensive hardware. MD5 was designed to be extremely fast and require minimal computation. The advice is compounded by the reliance on unsalted MD5 hashes to obscure the password plaintext. An 11-character password with letters and numbers has 62 11 combinations, making it out of reach by brute-force methods. After all, a six-character password that uses letters and numbers has just 62 6 possible combinations. By counseling users to choose short passwords, Lifeboat operators made this crude cracking approach feasible. As if many users' approach to password selection weren't lackadaisical enough, Lifeboat's own Getting started guide recommended "short, but difficult to guess passwords" because "This is not online banking." Crude but effectiveįurther Reading Why passwords have never been weaker-and crackers have never been strongerShort passwords are especially prone to cracking by brute force, a technique that tries all possible combinations of numbers, letters, and special characters until the specific one protecting a compromised account is tried. Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. That's what Motherboard reported Tuesday about Lifeboat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app. And as if that wasn't enough, the service recommended the use of short passwords. As security breaches go, they don't get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn't disclosed the hack three months after it came to light.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |