Gawker Passwords

After reading the news report about the Gawker password leak, I thought to myself, WTF?!! According to the BBC article, I just couldn’t believe the kind of passwords people chose to use for their accounts. Unfortunately, I see this everywhere, particularly in corporate environments. People tend to come up with passwords that depend on what keys are placed in sequence on a keyboard.

Okay, having previously worked in information systems security, I have learned some things about password security. And the biggest thing that I learned from this leak is that, these people did not take suitable password protection measures.

  • A password must never be stored in the clear because it can be read if the database is dumped.
  • A password must never be encrypted because it can be read if the secret key used to encrypt it is broken along with the application.
  • A password must never be hashed because it can be read if a common password is used (like in this case) where the hashes can be calculated outside of the attack.
  • A password must always be randomly seeded and hashed so that the same password, can have different hash values under different conditions.

In fact, the last method – a randomly seeded hash – is only good for now, until it is broken. In fact, this scheme should be used to encrypt any sort of data used for one-way authentication. There are many different ways to do a seeded hash but the concept is similar in all cases – to prevent a value from having the same hash all the time.

Can you imagine it, the most common password is “123456”??!!!

This is probably a good time to plug a simple tool that will come in very handy with online passwords – pwdhash. It comes with both a Firefox and Chrome plugin so it can be easily used in modern browsers. What it does is to seed a password with the domain name and hash it. So, even if your password is “123456”, it will be sent as a random string of characters to the website.

Advertisements

Published by

Shawn Tan

Chip Doctor, Chartered Engineer, Entrepreneur, Law Graduate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s