I’ve just been reading about eBay’s security breach, in which names, dates of birth, phone numbers, physical addresses, email addresses, and “encrypted” passwords were copied from servers. Naturally, the company is trying to put a brave face on things — while asking users to change passwords “as a precaution”.
(I say “asking users” but they haven’t asked me. The only information I have is from the press.)
But when you do log on to eBay to change your password, you’ll find that there is a 20-character limit on its length. A minimum password length is fine, but a maximum rings alarm bells, raises red flags, and causes other miscellaneous symptoms of concern. Here’s why.
The proper way to do passwords is to use a hashing function. This is a mathematical process whose most important feature is to be one-way. That is, you can transform a password into its hash, but you can not transform the hash back into the password.
If that’s hard to understand at first sight, think of a system where the password is a 4-digit number, and the hashing function is “add up the digits”. So 1234 transforms to 10, but you can’t get the digits back if all you know is 10. (In reality, a hashing function shouldn’t give the same hash for different passwords, so anything like this one would never be used.)
In real systems, a new password is put through the hashing function and the hash is stored. Then when the user tries to log in, the supplied password is put through the hashing function and the result compared with the stored one.
When you design computer systems for millions of customers, the amount of storage which you need is a concern. You don’t want to waste space: it costs money and slows things down. In the case of eBay’s database, the analyst or designer would have specified maximum lengths for the data — for example, you know the maximum size that a phone number can be.
So just 20 characters for the password, then? No, but wait! You aren’t storing the password. You are storing the hash, which is a fixed-length number, regardless of how long the password was.
Why the 20-character limit then? The worrying possibility is that eBay are storing the password itself. It’s not clear if their wording implies this, in saying that the stolen data contained “encrypted” passwords, or if they were simplifying to avoid having to explain what hash functions are.
There are online systems (e.g. Tesco) which do store the users’ passwords, encrypted with a reversible algorithm, allowing the password to be easily recovered. This is universally recognized to be very, very poor security practice, because if (when) the data is stolen, the hackers can very quickly generate a full list of passwords. (Most of them will be “password” anyway.)
If a database of password hashes is stolen, it’s not impossible to recover the passwords, but it’s difficult, and likely to require massive amounts of computation. That’s why GCHQ & the NSA have supercomputers. A basic hashing function is rarely used on its own either, with features added (such as “salt”) to make it more difficult to crack.
The typical attack on a hash is to take a list of possible passwords (e.g. “password”) and try each one in turn. First, you’ll use a dictionary of common words (e.g. “password”), or maybe a list of known passwords from elsewhere (e.g. “pa$$word”. You thought you were so clever.) If you run out of ideas, there’s nothing for it but to exhaustively try all combinations of letters and symbols allowed, starting at aaaaaa, then aaaaab and so on, all the way up to ZZZZZZZZZZZZZZZZZZZZ.
That’s why it’s a fundamental law of computer security that a long password is a good password. The computation for the hackers trying to crack it increases exponentially for every additional character. A 20-character limit on eBay is bad in itself, but could also be hinting at a deeper problem.