Gawker used encryption incorrectly. The odd choice of archaic DES encryption meant that the passwords they saved were all truncated to 8 characters. No matter how long your password actually was, you only had to enter the first 8 characters for it to work. So much for choosing a secure pass phrase.
This analysis is roughly 165 degrees misguided. Yes, the archaic password hash Gawker used prevented Gawker users from taking advantage of long passphrases on Gawker properties. But Gawker's properties were completely compromised anyways, so even an uncrackable passphrase wouldn't have helped you.
Meanwhile, that same archaic hash mitigated the compromise of all their password hashes, such that if you actually used a passphrase, it can't definitively be cracked from those hashes (there are obviously infinitely many passphrases that could hash to a given crypt(3) hash, only one of which would be your phrase).
Can you please elaborate on this? Exactly how did it prevent you from using a longer password? The best I can google are problems with DES ECB which encrypts in 64bit blocks but this would still allow for longer passwords, would it not? What am I missing?
DES crypt(3) isn't a block cipher. It's a (crappy) hash that uses the guts of the DES algorithm. Don't think of it like AES or Blowfish or whatever. It doesn't "encrypt" passwords. What it specific does is encrypt a single all-zeroes block using a key derived from your password. There are, for what it's worth, a lot of hashes that are --- in the heart of hearts --- block ciphers. Some of the SHA3 finalists fit that mold.
People are very confused by this whole "Gawker is using DES" narrative. But Gawker isn't "using DES"; they're using DES crypt(3), which is a construction derived from DES internals. That's not at all the same thing.
In this specific case, because DES crypt(3) is in fact a crappy hash, passphrases are irrelevant; crypt(3) truncates them to fit a DES key. The rest of the data for your passphrase is never even hitting the hash, so a stolen hash can't possibly disclose the whole passphrase.
Gawker saved passwords. You should never, ever store user passwords. If you do, you're storing passwords incorrectly. Always store the salted hash of the password -- never the password itself!
What? No... Gawker stored hashes.
EDIT
It really galls me that Jeff can make an entire post around such an easily verified and debunked lie. Was he too lazy to check? Does he know what DES3 crypt is/does? Or did he think it would simply look good as the first of his three points in order to make a sensational story?
Gawker really doesn't deserve the trash talk they're getting, their db architecture was far more sound than a lot of others out there... and, as Thomas points out, their use of "archaic" hashing techniques is in some ways a blessing. Their db designers definitely get a "PASS" even if they didn't use something like bcrypt which would have given them an A++ on this assignment.
Careful; DES3 is one shorthand for Triple DES, and DES crypt(3) (what they used) is the DES-based hash documented in section 3 of the Unix man pages. =)
Does the need to post a comment on Gizmodo really justify polluting the world with yet another username and password?
Let me see if I understand this logic correctly: password reuse is a critical internet problem because it puts all of your sensitive stuff into one key, your re-used password.
And the way to address this problem is to put all of your sensitive stuff into one third party whom we trust more, for purposes of our conversation we can just call them "the monopolist".
I don't think so. How about a distributed password system where I personally own the code and it kicks off a unique key for me for every web site I sign up to? After all, I've gotten pretty good about carrying around important things in my life. I use something called a wallet. The concept has been working fine for thousands of years. Whereas the idea of having somebody else keep secrets for folks really doesn't have that great of a sterling track record, as the Gawker situation shows.
This was a great article in that it's starting to show people how screwed up things are. But the conclusions (to me) seem all out of whack.
> And the way to address this problem is to put all of your sensitive stuff into one third party whom we trust more, for purposes of our conversation we can just call them "the monopolist".
You're missing the point. Giving out your password to a number of sites is as secure as the least secure of those sites. Giving it to a single third party still poses its problems, but is a much safer bet statistically.
> […] all of your sensitive stuff into one third party […]
You can designate any OpenID provider, including yourself. In such case DNS and optionally Certificate Authorities are only 3rd parties that have to be trusted (and if you can't trust these, you shouldn't be using the Web).
What I meant was that I own the process for making my own key, including salting, hashing, random-number generation, or any damn other thing I choose. Instead of me just having to c come up with semi-plaintext passwords or passphrases that I can remember, I can just carry around something that can provide me all the keys I could ever want. Perhaps I could keep a backup of this device somewhere in the cloud. Perhaps not.
But with a true distributed, non-predictable password generating system, there is no one crack that can effectively get to all the plaintext passwords. Big benefit there, and keeping something like a dongle in my wallet matches very well with the usual way things of value are already being kept. I'm perfectly happy with taking responsibility for salting, obscuring, and otherwise encrypting my passwords for various sites. In fact, I'd rather do it than have the site owner do it (or not).
The site owner can continue using the password as a check for access, it works the same as before, he's just not responsible for taking something easy for me to do (like remembering some kind of passphrase) and storing that somewhere. Or, in other words, instead of traditional mostly-English passwords each of us will just have our own system of generating rather large impenetrable blobs, which will then be used for authentication. If you crack Gawker the only thing you get of mine is some huge random pile of bytes which I only use for Gawker, not potentially the keys to every other site I use on the internet. I will personally assume responsibility for distributing passwords to tens of thousands of internet sites. This is simple crypto. I do not need to put all of my eggs into one basket, no matter how large, secure, warm, and fuzzy that basket is.
There is nothing (that I'm aware of) stopping you from setting up your own Open ID provider that used the method you described for authentication. The downside of course is that it's Open ID, which means it's pretty much only useful at places you don't need it.
While I do agree with the sentiment of the article, as a developer I see it as a risk to hand over user authentication to a third party. Once I do that, I'm subject to their terms of service (which usually say 'we can do anything we feel like, any time we want'), their outages, and their bad business decision (What happens to all the Facebook connect accounts when Facebook goes bankrupt?).
Would I even trust Google to handle Authentication? Maybe, but remind me again how I contact Google Tech Support when my authentication mysteriously stops working?
On the other hand, I had left comments on Gizmodo using Facebook Connect, so from a user perspective it worked out well for me.
OpenID delegation is useful for this purpose. If you have any domain you can use it as your OpenID and specify it to delegate the actual authentication to another service provider, that you can change at any point. I used to use MyOpenID, now I use Google, but it's the same login.
> Let's say you have good old traditional username and passwords on 50 different websites. That's 50 different programmers who all have different ideas of how your password should be stored. I hope for your sake you used a different (and extremely secure) password on every single one of those websites. Because statistically speaking, you're screwed.
A great reason to use a password manager, like LastPass. I started using it ~1 year ago, and now each of my web logins has a different password. It's just one key combo to generate a new random password and insert it into the password field when signing up at a new site.
Of course, you do now have to trust LastPass! I do, and it's fantastic the difference it makes in these situations. No sick feeling in your stomach, no rush to change passwords everywhere, a few clicks and the problem is solved. Extra credit: use their security challenge to verify you're not using the same password on more than one website: https://lastpass.com/?securitychallenge
I've been looking at switching to a password manager like that, but I've been having trouble knowing how to pick one that a) I can trust and b) is good. I was thinking of giving up and just using a plain text file inside a truecrypt file.
I can't really help you with a, that's largely dependent on you. Whether it meets requirement b depends on how you're going to be using it, really. My use case is mostly websites, in Firefox and Chrome, and occasionally on my Android phone. I wanted the UI to integrate nicely with the browser, to be able to store other passwords besides, for the architecture to be secure (passwords are always encrypted with your master password before going to their servers, and your password is never transmitted to them), for it to have two-factor authentication, to sync automatically, and for it to have a website backup for access without the extension.
LastPass fit all these, but it might not fit your usage requirements. However, I would urge you to investigate it and all other options (KeePass seems popular, as are some other Firefox extensions) if you don't currently have a good password solution, as any of these is better than using the same password multiple places.
A lot of people seem to do this, so I'm curious - what are the advantages compared to e.g. LastPass? Also, how well does it hold up if you used two devices simultaneously?
Cool. I always saw this as a limitation but honestly it's very, very rare that I need simultaneous write - just simultaneous read. I will start recommending KeePass + Dropbox to those who don't trust LastPass. What's KeePass's browser integration like?
Right, but you have to take their word for that (not exclusive to LastPass, goes for any service like this). So ultimately, you still have to trust them.
- I have a text file encrypted with GPG that contains my list of passwords.
- I open it in Emacs like any normal file.
- GPG is integrated to Gnome so I get a nice askpass dialog even from inside Emacs.
- I've configured Gnome to store the decrypted key for a few hours (or until suspend) and ask me anytime the cached passphrase will be reused, to avoid typing my long passphrase everytime I need to look up a password.
- Emacs also knows how to encrypt the file transparently when I've made changes and just save the buffer in Emacs.
- My swap partition is encrypted via TrueCrypt and so is my /home.
Personally I am going to use a super weak password on most sites from now on with the understanding that anybody may hack it. 90% of sites it doesnt matter anyway. Then I can focus on the rest,which actually matter to me.
I've been doing this for years. I have two categories of passwords, and for any site I don't care about it gets one of my weak passwords. But even still, I believe I am going to switch to 1Password or something similar.
I do this, but one of the sites I don't care about has graduated to "do care about", and may have been using the same lightly customized password as Gawker. Lesson: I should pay more attention to which sites are important and need to be upgraded.
As soon as you realize a site is important, update your password. That should solve the problem, right? Unless someone breaks in between the time that you realize it's important and the time you want to change your password.
I did almost exactly that and I've still been bitten by this.
I had a weak password like 99beers that I've used for many years for the 90% of sites that don't matter. I started to transition to something like adding the first letter of the site name plus one to the beginning, so ycombinator.com would be z99beers. Still not strong, but I thought it reduced the risk if one site was compromised.
But since this compromise has been so large and well-publicized, I've gotten locked out of several sites that do matter, apparently just based on being in the Gawker dump. Since my email has never been compromised, this isn't a big deal, but it's a hassle.
Now I'm making a serious effort to apply LastPass and random passwords to everything.
poor man's password manager: select one strong password that you are able to keep in mind. Then for every site you use, set the password to what is the output of:
echo "strong_pass:sitename:strong_pass" | sha1sum
Note: if you are using mac os x use "shasum" instead of "sha1sum".
Make sure to don't expose your secure password of course.
It's also a good idea to use a completely different strong password just for email.
p.s. it's worth to note that since there are tons fo SHA implementations for Javascript it's possible to build all this as a web application where all the business happens in the client.
The web app will just allow you to add a number of site names so that you don't have to type the site name by hand all the times.
Btw the world would be a better place with all the auth cookies set to expire on 2036...
Unfortunately some crappy site is going to thwart such an effort. "bzzz! you can only use 12 chars in your password" or "you have to use a symbol/uppercase letter" or some other lunacy. le sigh
This is not a great password manager function; the reason is, losing your sha1sum password gives the attacker enough information to mount a very, very fast brute force attack against "strong_pass" as long as they know the "sitename".
A basic property of a password manager system should be that the loss of any password doesn't give attackers any information about other passwords; yours potentially concedes the "master secret" that animates all of them.
SuperGenPass (http://supergenpass.com/) does that in a way that is more likely to generate strong passwords honored by sites (e.g., multiple cases, punctuation, etc.). It comes both as a bookmarklet, and, if you don't want to use that, a mobile version (http://supergenpass.com/mobile/) that you can store somewhere safe so it doesn't even hit the internet (e.g., I store it on my Dropbox account so I can use it on my phone). Works great.
There's also an extension for Chrome called SuperChromePass that allows you to generate your passwords outside of the DOM to prevent snooping, or use Ctrl-Shift-P to do in-DOM generation for convenience, depending on your preference and paranoia.
That said, I've been using SGP/SCP for all my passwords for about a year now, and I have only come across a single site that wouldn't work with the default, 10 character password scheme: ConsumerReports.com
All in all, I would definitely recommend this to everyone because it means you don't have to keep track of an encrypted password database or have any software installed on computers you use. If your computer crashes and you lose all your data, you just put SGP back on your bookmarks bar and carry on with life...
otherwise there are attacks possible with this simple schema. Check why it's a good idea to use an HMAC for serious applications instead of "secret:...mytext..." for more details (long story short, it's possible to continue the SHA1 computation resuming from where it ended and appending more text). It's really a problem in different cases, not in our case of generating passwords, but it's a good practice to use always HMAC or when it is not practical like in this case at least putting the secret before and after.
this is already available for the major browsers as an extension; try googling for "pwd hash" (from stanford) and "password hasher". also, as was noted in another comment, this is currently being discussed in another thread
I'd much rather depend on 50 strong passwords than 1 strong password to protect my online presence. Depend on Google, FB, etc. and when that 1 site or auth protocol is cracked ALL your logins are compromised. By spreading the risk around you are better protected from these kinds of issues.
"The short answer is that OpenID is the worst possible 'solution' I have ever seen in my entire life to a problem that most people don't really have. That's what's 'wrong' with it."
> Gawker saved passwords. You should never, ever store user passwords. If you do, you're storing passwords incorrectly. Always store the salted hash of the password -- never the password itself!
Uh, no? They did save the hashed+salted version. The only problem is that they used crypt, from 20 years ago, instead of something like bcrypt.
Yeah, I am. I'm looking at the database right now.
I would assume they had more, faster computers. And the passwords they broke were only the simple ones -- I would assume your password is not password1.
No, they weren't. According to the "Release Notes", they were using a DES-based crypt scheme. Read up on tptacek's (http://news.ycombinator.com/user?id=tptacek) comments on the matter.
Do you have a reference for that? Everything I've read (not really authoritative) indicated they were using the standard crypt interface, which does use DES, but is a lot closer to salted hash then encrypted. I can see the issue getting confused either way (people see DES, don't know what to think), but using crypt seems a lot more likely.
Is there a space for some startup to just offer an internet driver license. That would be all they do, no ulterior motive, just identity service.
Rock Solid Security + Developer Friendly API = Win?
There are probably adoption issues and centralized authority fear. It seems though that other things have consolidated nicely (a ton of comments use Disqus now), maybe its time for someone to create a startup that solves this very real problem.
Has there been an explanation as to why they were using DES? Gawker started in 2003, a year after DES was superseded by AES, and there were plenty of more secure algorithms being used at the time.
As I pointed out on another post yesterday, there's no central repository for security information. Everyone is left up to their own devices to determine the current best practices. And then implement them. The fact that it was 'started' a year after AES doesn't really mean much. (And 'started' or 'launched'? Those are quite different.)
If you have to develop a secure solution you make some research and choose what you think is a good solution (and if it is something outside your field you study/ask).
In 2001 I've to implement a secure solution for a mobile platform, I choose Rijndael (them picked by NIST for AES). My previous knowledge of encryption algorithm was near zero.
And then if you make the wrong decision, on something important as security for a public website, over the years you iterate (come on, till 2003 nobody internally thought it was a must to fix this mess?).
> If you have to develop a secure solution you make some research and choose what you think is a good solution (and if it is something outside your field you study/ask)
If everyone did this we wouldn't have these discussions so often. The problem is that people think they know about crypto, and think they know what they're doing, and probably won't believe otherwise until they get smashed wide open like this. This applies to almost all areas of knowledge, it's just particularly damaging in crypto as it's arcane and very sensitive to changes, often in very subtle ways.
It's worse than that - I admit I know very little about crypto.
So when it comes to implementing a password storage system I read up a bit, get confused, ask a couple of people and get different answers back.
It's the "get confused" bit that's dangerous. As you say, the differences are quite subtle and (for me at least) when they are being explained make perfect sense, but ten minutes later have become an uncrackable cipher all of their own.
I'm not sure what advice to give you. You commonly see advice to outsource your security, to other libraries, the idea being these are more likely to be correct than you. However, there have been some pretty high profile mistakes in common crypto libraries too! If there's anything specific you have in mind, I'd be happy to field questions (and hopefully other HN users will correct me in the event I'm wrong!)
What is it being used for, and how is it being used? I'm guessing this is password hashes. Is rails using a unique salt for each password?
Bcrypt is slower than SHA512, in fact it can be made to be very slow. This is actually ideal for password hashes, it doesn't matter if it takes your server 50 milliseconds to calculate a password hash but that would severely slow down an attack.
It is important however that they are being used correctly. Either would be a good solution if properly salted.
At the time they implemented this (~5 years ago) most PHP tutorials just pointed to either crypt or md5. The other cyphers and functions were either added later, were not in stable PHP branches at the time, and/or most common tutorials had not picked up on them.
It is also a pain to port your password storage method
This analysis is roughly 165 degrees misguided. Yes, the archaic password hash Gawker used prevented Gawker users from taking advantage of long passphrases on Gawker properties. But Gawker's properties were completely compromised anyways, so even an uncrackable passphrase wouldn't have helped you.
Meanwhile, that same archaic hash mitigated the compromise of all their password hashes, such that if you actually used a passphrase, it can't definitively be cracked from those hashes (there are obviously infinitely many passphrases that could hash to a given crypt(3) hash, only one of which would be your phrase).