A Bad Week for Passwords, and One Way to Make It Better
Passwords are having a very bad week. First came word that more than 6 million passwords belonging to LinkedIn users were compromised in an attack. Today, the social music service Last.fm confirmed its password files have been compromised. Dating site eHarmony suffered another breach of its password files.
There aren’t many technical details about how the breaches were carried out. LinkedIn has confirmed the breach but has offered no details on what happened.
The fundamental problem is simple: Passwords have to be stored somewhere in order for them to be useful. They’re usually stored in a scrambled form using a mathematical function called a “hash” to make them difficult obtain. One hash algorithm that has been in use for almost two decades is called MD5, and you can see it in action here. When I type in the phrase “the rain in spain falls mainly on the plain,” I get back the string of text: 262aac1a988ef3be5b01d1a565cc5acb.
The problem with hash codes is that with the increase in computing power, it’s increasingly easy to take that long string of letters and numbers and convert it back into text. If you like, you can cut and paste the string above and plug it into this free MD5 hash-cracking site and see what I mean (make sure you don’t include the period). You should get the original text as your result.
As hash algorithms go, MD5 is pretty old. It dates to about 1995, and as such has been declared “no longer safe” by its creator. Other stronger hash algorithms have emerged. One called SHA-1, created by the National Security Agency, takes my phrase from the MD5 example and turns back this longer, presumably harder to break string: 9a73724fb8bcb23447453be5a02c48bad5be02bf. No such luck. The Hash Cracker site makes equally short work of it.
The problem is that processing power has reached a point where it’s a lot easier to crack hash algorithms. Getting the actual plain text password out of the hash string is basically a complex math problem. And as we’ve seen, ever more powerful computers are able to make ever shorter work out of cracking them.
So what’s the answer? One approach I’ve thought about and actually put into practice with some of the sites that I use is two-factor authentication. Google has made this an option on its Google Apps service, and I’ve enabled it there and also on my personal Gmail account.
Two factor authentication works like this: You have a password — one that should be long and complicated and hard to guess, but also somehow easy to remember. Then once you’ve entered it correctly, you get prompted to enter a second code, maybe a string of four to six numbers. Where do these numbers come from?
They’re generated every 30 seconds or so on a smart phone. I have Google’s Authenticator App running on my iPhone and, every thirty seconds, it generates new numbers for each Google account I have. I enter that number before it expires and get access to my account. And while it adds a step and thus a tad of inconvenience, only I will have that number. I can also allow the number to be good for 30 days for each computer that I use, and so limit the number of times I have to jump through that hoop.
Two-factor authentication isn’t perfect. RSA Security — which makes its own widely used two-factor security system — was attacked last year, and the target appeared to be the algorithm it uses to generate those numbers. If an algorithm is compromised it can allow the entire system to be broken.
With so many of us carrying smartphones, which are essentially handheld-computers, there’s almost no excuse for not kicking up the security of popular Web sites by a notch or two. If most popular Web sites that use any kind of sensitive information (LinkedIn and Facebook, I’m looking at you) were to implement two-factor as an option — not a requirement — there would be at least two very easy and positive results. First, it would make the work of compromising a Web account all the more difficult. Even if your initial password is “password” you would still need a second set of impossible-to-guess, always-changing numbers to get access.
Finally, it would put some responsibility for security in the hands of users. And that’s a good thing, too.