How Do Passwords Work - Learn the Anatomy of Passwords | Antivirus

Four years ago, the social business network LinkedIn was attacked in which password data was stolen. Only recently it became known how dangerous this data theft was. The incident forces all network users who were already members at the time to quickly change their passwords. However, it also shows that secure passwords are necessary, but that even very secure passwords do not offer permanent protection if the operator of the service for which the passwords are used is irresponsible. Therefore, this post explains how passwords work and how a service provider has to deal with them.

Passwords in The Early Days of The Internet

In the early days of the Internet, password management was primitive: if a user chose the password 123456, the service saved this password with the user name as clear text in a text file or, at best, a database. “Plain text” means that the password was saved as 123456. This makes it available to anyone who can open and read the file.

For one thing, this password is extremely insecure because it is so easy to type. If you are lazy, you prefer to remember a simple pattern on the keyboard or another primitive password. The website Whatsmypass.com has published a list of the 50 most common passwords stolen in the LinkedIn attack. 123456 tops this list. It is used in over 750,000 of the almost 178 million stolen data records, that is 0.42% - not an impressive percentage, but a considerable amount.

If the password is also saved in clear text, then it is not only easy to guess, but also known immediately if the database or text file is stolen, as is the case with LinkedIn and most other similar break-ins and data theft. You had to see that very early on. Nevertheless, there are still, service providers who save passwords in cleartext.

This applies in particular to all the service providers who can send you your forgotten password if you use the "forgotten password" function. Such service providers are not trustworthy. In the event of data theft, your account will be compromised immediately.

Hashes Instead of Passwords

So it soon became necessary to move on to storing the passwords no longer in plain text but in encrypted form. Here algorithms are used that calculate a so-called hash value from the password. Only this is saved, and it should not be reversible with current encryption methods, i.e. it must not be possible to calculate the password from the hash.

Let us assume that a service uses the SHA-1 method for encrypting the passwords. This is exactly what LinkedIn did back then. The password 123456 becomes the following value through this encryption:

7c4a8d09ca3762af61e59520943dc26494f8941b

That doesn't look bad at first. Only this string is stored by the provider of the service. It cannot be used to calculate what the original password was unless the SHA-1 algorithm is cracked.

SHA-1 is no longer considered safe, so it should no longer be used. Nonetheless, for the sake of illustration, we assume here that the algorithm as such is safe and continue to use it as an example.

You can check for yourself which hash value results in your personal password. A command-line command can be used for this on Linux:

echo -n 123456 | sha1sum | awk '{print $ 1}'

7c4a8d09ca3762af61e59520943dc26494f8941b

The upper line is the command that you confirm with the Enter key, below the output of the hash value already displayed above and determined from the password, which is then carried out. Instead of 123456, enter your password to determine its hash.

There are no on-board tools on Windows, but you can use a program like HashCalc to determine hash values, or you can use websites like hashgenerator.de. However, in both cases, but especially with such websites, the following applies: Are you sure that the password and hash are not being passed on to anyone? Isn't your supposedly secure password perhaps reported to the provider of the program or the site together with the hash it has determined? You will see right away that this means a risk.

Calculate Hashes in Advance

The passwords stolen from LinkedIn were stored as pure SHA-1 values ​​and were thus stolen. This means that exactly the above hash was stored in 0.42% of the stolen records. Anyone who has a list of the most popular passwords, for example, can determine the hash values ​​of this list according to any existing algorithm without any appreciable expenditure of time, since the algorithms must necessarily be publicly available. Then all he has to do is look in the stolen records for those in his list that have been determined in advance. The first time it hits, it not only learns the password but also, if it does not already know which algorithm was used. He can then focus on these for the rest of the list.

You can also determine the hashes for every term from every dictionary in every language in the world fully automatically without any major effort. Assume that this has already happened for each algorithm. This means that if your password is an existing word in any language (whether on the purpose or not), then you can assume that it will be cracked immediately if its hash is stolen somewhere.

For example, let's say you're apparently difficult-to-guess The password is “entrance ticket”. The SHA-1 value is:

c503b3dbd51a87da4a94b662be98880419b31e64

The password is probably really not easy for a human to guess. But if that was your LinkedIn password four years ago, then this is exactly the value now in the list of stolen passwords.

If you let a computer automatically convert the main entries of a German language dictionary into hashes using SHA-1, this process should hardly take more than a few hours. The hash value specified above can then be searched for in the list of stolen hashes. If the hashes match, the password has been cracked.

 You can very easily check that this is the case for this password: There have long been websites that do this for you. Open the page linked here and copy the complete hash value for "entrance ticket" there, press "Reverse" and see how quickly the password is determined. This website does nothing but matches the hash with a huge database of several million pre-calculated hashes.

The use of a capital letter secures the password. "Entrance ticket" with a capital E gives the hash

c8a03a9ed15d149d7eb0a28989c2398e2144cff3

This hash does not yet appear in the database. But it's only a matter of time. In the case of LinkedIn, the extent of the problem is only now becoming clear, since now, after four years, a large number of hashes, including supposedly secure passwords, have been decrypted and the data has been published.

Because possible passwords can be easily calculated in advance from simple characters, passwords are usually required that are long, made up of lower and upper case letters, contain digits, and also special characters. The length is important because you can assume that a large part of the short random strings has already been calculated in advance. For example, the hashes for hang and aHbG are already found on the specified website without any problems, although to my knowledge these are not actually existing words (but possibly abbreviations).

Individualization of The Hashes: Salt

Responsible providers of password-protected services add an additional level to the encryption: they "salt" the password with a separate, secret component. However, LinkedIn didn't do that back then.

Where such a “salt” is used, the provider appends additional characters to the password without the user needing to know. For example, the string “BeL12” could automatically be added as salt, so that our popular 123456 becomes the password 123456BeL12. The salted password results in the following hash:

5f78283d014367c2790b783e11541fef8ae908ed

This is in no way similar to the hash value for 123456 above. The mentioned decryption page finds nothing for this hash. So for now we're safe.

However, there are still some weak points for this system: On the one hand, the salt must really remain secret, because otherwise a long list of passwords for this salt can be created and their hashes can be determined. Second, it can be assumed that the most common passwords + salt can be determined from this list purely statistically. In other words, if LinkedIn had already salted the passwords with BeL12 during the theft, then the associated hash value would still have appeared identically in 0.42% of the entries. Accordingly, at least the simplest passwords can be recognized by the statistical frequency of occurrence of the hash value. Initially, this does not endanger the better passwords, but the simpler ones.

Short salt values ​​can also be determined statistically. If a service has a sufficiently large number of users, it can be assumed that the most frequently occurring value in a stolen hash list corresponds to one of the commonly known most frequent passwords plus the individual salt. In the case of the LinkedIn data, this was 123456 + Salt. The main common denominator on keyboards around the world is the English character set. That is 26 letters in large and small, 10 digits, and around 20 special characters (not every password routine allows every character). So that adds up to around 82 characters.

There are therefore 82 possible salts with only one character, 82² = 6724 with two characters, 551.368 with three characters and 45.212.176 with four characters. In total, that's 45,770,350 possible salt values ​​with up to four characters. It is a breeze for today's computers to compute all the resulting hash values ​​for, say, the ten most common passwords plus these 45 million hash values ​​in a reasonable time. And if that produces even a single hash value that is actually in the stolen list, the salt value is known.

A serious problem begins for the provider if he ever finds out. Then, to establish a new salt, all customers have to log in again at least once, for which the service first uses the old salt and then determines a new hash with the new salt and transfers it to a new database. A service that changes the salt is forced to use bath salts for at least some time so that existing customers can still log in. And if the actual password has already been successfully determined, the new salt does not offer any protection.

So What Do You Need to Do to Have a Strong Password?

If you were able to follow what has been said so far, you will now surely understand why passwords have to be long and consist of combinations of lower and upper case letters, numbers, and special characters.

The real danger to your password is not that someone guesses it through thought. It is much more dangerous and likely that your password will be identified by its hash if it is stolen somewhere. This is why it is important not to use a password for more than one purpose.

You can very easily get a password that is well protected against these attacks. All you have to do is memorize a kind of your own salt, for example, a short word like “Salz”. If you now have to set your own password for a service, use a rule like Name of the service +: + Salz. For example, this is how the LinkedIn password is created:

LinkedIn: SalZ

We have uppercase letters, lowercase letters, and a special character in them. You may also want to add a number. In any case, it is unlikely that the resulting hash (especially if it has also been salted by the service provider) already appears in a database.

However, there remains at least one more theoretical problem: Suppose you fall for a phishing attack with a fake LinkedIn page and enter your username and password there. The LinkedIn account is definitely compromised, but if someone looks at this password, then they can at least with some probability guess that your password for Facebook is Facebook: Salz or maybe FaceBook: Salz. However, I consider this risk to be relatively low.

Even so, it is a good idea to use two-factor identification wherever possible. On Facebook, for example, you can request a code that is issued via the mobile phone app and which has to be entered after logging in again. If someone knew the Facebook password and used it to log in, they would still not be able to continue without your mobile phone, because only the code that they would have to enter next is displayed on it. And if you are shown such a code without having logged into Facebook, then you should change your password there as soon as possible.

Password protection is not enough for your data. Hence you need to consider one of the best antivirus products.