Sold

I’ve just been reading about eBay’s security breach, in which names, dates of birth, phone numbers, physical addresses, email addresses, and “encrypted” passwords were copied from servers. Naturally, the company is trying to put a brave face on things — while asking users to change passwords “as a precaution”.

(I say “asking users” but they haven’t asked me. The only information I have is from the press.)

But when you do log on to eBay to change your password, you’ll find that there is a 20-character limit on its length. A minimum password length is fine, but a maximum rings alarm bells, raises red flags, and causes other miscellaneous symptoms of concern. Here’s why.

The proper way to do passwords is to use a hashing function. This is a mathematical process whose most important feature is to be one-way. That is, you can transform a password into its hash, but you can not transform the hash back into the password.

If that’s hard to understand at first sight, think of a system where the password is a 4-digit number, and the hashing function is “add up the digits”. So 1234 transforms to 10, but you can’t get the digits back if all you know is 10. (In reality, a hashing function shouldn’t give the same hash for different passwords, so anything like this one would never be used.)

In real systems, a new password is put through the hashing function and the hash is stored. Then when the user tries to log in, the supplied password is put through the hashing function and the result compared with the stored one.

When you design computer systems for millions of customers, the amount of storage which you need is a concern. You don’t want to waste space: it costs money and slows things down. In the case of eBay’s database, the analyst or designer would have specified maximum lengths for the data — for example, you know the maximum size that a phone number can be.

So just 20 characters for the password, then? No, but wait! You aren’t storing the password. You are storing the hash, which is a fixed-length number, regardless of how long the password was.

Why the 20-character limit then? The worrying possibility is that eBay are storing the password itself. It’s not clear if their wording implies this, in saying that the stolen data contained “encrypted” passwords, or if they were simplifying to avoid having to explain what hash functions are.

There are online systems (e.g. Tesco) which do store the users’ passwords, encrypted with a reversible algorithm, allowing the password to be easily recovered. This is universally recognized to be very, very poor security practice, because if (when) the data is stolen, the hackers can very quickly generate a full list of passwords. (Most of them will be “password” anyway.)

If a database of password hashes is stolen, it’s not impossible to recover the passwords, but it’s difficult, and likely to require massive amounts of computation. That’s why GCHQ & the NSA have supercomputers. A basic hashing function is rarely used on its own either, with features added (such as “salt”) to make it more difficult to crack.

The typical attack on a hash is to take a list of possible passwords (e.g. “password”) and try each one in turn. First, you’ll use a dictionary of common words (e.g. “password”), or maybe a list of known passwords from elsewhere (e.g. “pa$$word”. You thought you were so clever.) If you run out of ideas, there’s nothing for it but to exhaustively try all combinations of letters and symbols allowed, starting at aaaaaa, then aaaaab and so on, all the way up to ZZZZZZZZZZZZZZZZZZZZ.

That’s why it’s a fundamental law of computer security that a long password is a good password. The computation for the hackers trying to crack it increases exponentially for every additional character. A 20-character limit on eBay is bad in itself, but could also be hinting at a deeper problem.

xkcd on password strength

About these ads

4 thoughts on “Sold

  1. That’s why it always confused me that cPanel (One of the most comment web hosting platforms) limits the password generator to 18… and even then you’ve to manually change it from 12 every time you generate a password.

    Yes, it generates one full of punctuation etc… but as your comic strip shows… etc…

    I would like to doubt that eBay don’t hash passwords, I would like to doubt that, but you never know. Perhaps they thought that security applied to actual database access was enough…. Which is a terrible idea since even a disgruntled employee could do some serious damage without being noticed…

    Joomla 2.5 used MD5 hash with salt, Joomla 3 (Since 3.2 i think) uses bCrypt. And from hat I’ve been reading it’s pretty good. Although I can’t pretend to know the ins-and-outs of why.

    The md5() function in PHP should be removed at some point. Although I know it can be useful for some small jobs where security isn’t required like making sure div classes have unique names etc… the problem is it creates the illusion of security. Even a simple google search of the hash will probably crack it.

  2. A spokesperson from eBay is quoted on Reuters as saying that the website used “sophisticated, proprietary hashing and salting technology to protect the passwords”.
    “proprietary” is another one of those red flag words in a security context though.

    • As far as I’m aware, eBay have used the Joomla framework for lots of their internal intranets and other systems. Therefore it’s all PHP and (most likely) mySQL driven.

      That to me says “md5() + Salt”… Not good.

      I know a guy working there from the early Joomla days, I could ask him! :)

  3. Bad news. I just changed my passwords on eBay and PayPal and PayPal tells me “you can not have an accent in your password” — actually, it was a symbol, i.e. it was a character outside the basic 7-bit ASCII set. Someting dubious in their handling of passwords, for sure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s