Sunday, 16 February 2014

Kickstarter and passwords....

Don't groan and hit 'next' on this one either, 'cause it's important. Even if you're not a Kickstarter user.

The following turned up in my email last night:
Important Kickstarter Security Notice
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password.
The bit I'd like to emphasis is this[1]:
Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
"Enough computing power?" You're almost certainly using it to read this blog. Given a dictionary and a list of encrypted passwords, it's relatively trivial, especially if you know what encryption method is being used (which if not, it's probably pretty easy to figure out).

Why? Because you don't need to break the encryption[2]. All you need to do is what the site[3] does when it checks your password when you log in: encrypt what you type, see if it matches what's stored. If you encrypt the whole dictionary that way, and compare it against your list of stolen passwords? Watch the matches drop out. In fact? You don't even need the dictionary. Take a list of passwords from say, here, encrypt those... Of course, if you're serious about cracking passwords, you can do better yet.

I can't stress what the KS folks say enough but I'll add to it:

  • Change your KS password now. Don't assume its secure just because it isn't a dictionary word or one of the top 100 bad ones!
  • If you use that password anywhere else, change it there. Some lowlife out there now has a list of email addresses and encrypted passwords. If yours is one they cracked, where else can they log in?
  • Pick more secure passwords everywhere as a matter of course. Because KS wasn't the first, and won't be the last. Your basic two choices are non-dictionary words (and don't just change letters to numbers, either!) or a passphrase... 
  • If you have trouble remembering passwords, use a password manager like 1Password (which will also generate highly-random passwords for you) or similar. 
  • If you use a password manager, for heavens sake make sure the one password you DO have to remember (namely its own password for its password store!) is both secure and one you can remember.


[1] Yes, people with IT backgrounds, I'm oversimplifying :D But unfortunately, so are a lot of web-site developers.
[2] In fact, you'd be daft to try. Most password 'encryption' algorithms are intentionally one-way for sane levels of computing power, i.e. you can't get the plain text given the encrypted text. Your mileage may vary if you're the NSA or GCHQ[5].
[3] Assuming the site is not so stupid as to store your password in clear[4].
[4] In case you'd ever wondered why you normally have to reset your password, rather than get the site to send you a new one? This is why. Because any sensible site doesn't KNOW your password. It only knows what it encrypts to, using a 'one-way' algorithm.
[5] *smiles* *waves*

9 comments:

  1. The good news is, as soon as you log in, they have a big button at the top of the page to take you to their "Change Password" page. It also says that they highly recommend you change it due to the data breach.

    ReplyDelete
  2. A good modern hashing algorithm is reasonably resistant to dictionary cracking by requiring significant computational effort, but mostly people don't use them. See Wikipedia on KDFs. And yeah, there are still sites out there using clear password storage.

    ReplyDelete
    Replies
    1. Hence my point about most websites still working at the simpler end of things. :D

      Delete
  3. This was a distressing email to read this morning, and a helpful blog post to read this afternoon. Changing my PW as soon as I finish this,
    It's distressing how frequently this sort of thing now seems.

    ReplyDelete
  4. Passwords are a minefield.

    We expect everyone who is not in IT to be able to form and remember strong passwords.

    But we also expect everyone to have and use the wonders of the Internet.

    Surely the time has come for a better solution to security on the internet.

    Even banks give us the appearance of security by making the process complicated.

    This again just encourages poor behaviours.

    Finally how many computers have you seen with post-its stuck on them and wonder why a national database of patient records is doomed.

    Remember even biometrics are just a string of data that can be intercepted and copied!

    ReplyDelete
  5. Password reuse - http://xkcd.com/792/
    Strong passwords - https://help.ubuntu.com/community/StrongPasswords
    "Enough computing power" - especially gamers with powerful GPUs - modern brute force search against simple hashing is scarily fast: http://www.codinghorror.com/blog/2012/04/speed-hashing.html https://password-hashing.net/

    Kickstarter passwords were at least salted before repeated hashing, so you can't compare against the whole list, you have to do them one at a time.
    (Yes, I know you said you were oversimplifying. And yes, it's more than some developers manage - Adobe for example: http://xkcd.com/1286/
    http://nakedsecurity.sophos.com/2012/11/15/cracked-passwords-from-alleged-egyptian-hacker-adobe-breachegyptian-hacker-allegedly-breached-adobe-leaked/ )

    ReplyDelete
    Replies
    1. Salting doesn't make it that much tougher, and if you restrict yourself to the 500 worst list you probably still get a ridiculous number of hits :D

      Delete
  6. The problem is that it's not just a question of remembering a few passwords. Virtually every site now wants you to have a password I literally have hundreds of sites that need a password. I've changed my Kickstarter one but I have no idea how many other sites I have used it on.

    ReplyDelete
  7. There are many sites that I do not use regularly (nor expect to) where I don't try to remember the password.

    Just rely on the password reset email everytime!

    ReplyDelete

Views and opinions expressed here are those of the commenter, not mine. I reserve the right to delete comments if I consider them unacceptable.

If you don't have a Google account, but do have a Yahoo! or LiveJournal account, read this post, which will explain how you can comment using that ID.

Comments on posts older than 7 days will go into a moderation queue.

Related Posts Plugin for WordPress, Blogger...