Hacking Static Passwords

Dawid Czagan
April 8, 2013 by
Dawid Czagan

1. Introduction

The static password is the most popular authentication method. It's also the least secure one. This article describes how static passwords can be attacked and protected. It also presents zero knowledge proof, which can be used to get rid of the static passwords.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

2. Authentication

When the user wants to get access to the system, he typically enters username (identification) and static password (authentication). The authentication can be related with something the user:

  • knows (e.g. static password)
  • has (e.g. token or mobile)
  • is (e.g. iris scan)

Single-factor authentication takes place when only one of the mentioned above things is taken into account while authenticating the user. The strongest authentication uses all of them and is called three-factor authentication.

3. User vs. password

When the attacker gets the password of the user, he can use it within its lifetime. Many people never change the password. Then, the attacker can impersonate the user for an unlimited time. It isn't much better when the organization changes passwords every month. It still gives the attacker a lot of time to perform malicious actions.

People are advised to use strong passwords (a long mixture of lower and upper case letters, digits, special characters; the more random it is the better), which should be unique for every system. This is fine from security point of view, but unusable from a user point of view. As a result, people take the passwords down, stick them on the monitor or hide under the keyboard. They also use the same password for different systems. When this is a case, the attacker can automatically impersonate the user in many places.

4. Plaintext vs. hash

Passwords are sometimes stored in plaintext. Then the attacker knows the password instantly after breaking in (via SQL injection for instance). That's why it's better to store a hash of the password, which is denoted by H(P) in the article (H - hash function, P – password). The ideal hash function is irreversible (the attacker cannot get the password from the hash) and there are no two different passwords P1 and P2 such that H(P1) = H(P2).

Let's assume that the hash of the password is stored in the database. The user enters his username and password to authenticate. The hash of the entered password is calculated and compared with the hash stored in the database. If they match, the user is authenticated.

5. Brute force, dictionary attack and pre-calculated dictionary attack

Let's assume that the attacker has the hash of the user's password. The hash is irreversible, but the attacker can try to calculate the hash of every possible password combination (brute force approach) and compare with the hash of the user's password. The advantage is guaranteed success (finding the right password). The drawback is that it is a very time-consuming process.

It's probable that a typical user is frustrated about password best practices and uses a pattern for the password (for example a common word and a digit appended at the end). Then the attacker can build a set of common words concatenated with a digit (an exemplary pattern in the dictionary) and try every combination from this set. This approach (dictionary attack) can save time of the attacker, because he doesn't have to brute force the whole key space. The disadvantage is no guarantee to find the right password. However, the probability of hitting the right password is quite good taking into account what passwords people often choose.

The attacker doesn't have to start the computation from scratch every time he wants to find out the password. There are pre-calculated dictionaries (e.g. rainbow tables) that store probable passwords in plaintext together with their hash values. Then it is enough for the attacker to check if there is a hash in this storage that he is looking for.

6. Salting

The salt (denoted by S in the article) is a long mixture of random characters stored in the database (plaintext). In addition, H(P+S) is calculated and stored in the database where the sign '+' denotes the concatenation of P and S. The user enters username and password to authenticate. The salt (S) is taken from the database and concatenated with entered password (P). Then H(P+S) is calculated. If it matches the hash stored in database, the user is authenticated.

Let's assume that the attacker got access to the database. He knows the salt and H(P+S). The pre-calculated dictionary contains probable passwords and their hashes. The salt is long and random. That is why the probability of finding H(P+S) in this dictionary is close to zero. This way pre-calculated dictionary attack is prevented.

The attacker who got access to the database knows S and H(P+S) and can perform dictionary attack. He calculates H(PP1+S), H(PP2+S),...H(PPN+S), where PP1, PP2, ...PPN is the list of probable passwords (dictionary). If one of these hashes matches H(P+S), the attacker will find out the user's password.

If there were one salt for every user, the attacker would need to perform the mentioned above calculation once in order to find the users, who have passwords included in the dictionary. That's why it is recommended to use unique salt for every user. Then the attacker has to perform the calculation N times, where N is the number of users. In the meantime, the users can change their passwords when the intrusion has been detected. That's why unique salt for every user is used to slow down the attacker.

It is also possible to add additional salt (denoted by S2 in the article) – the one not stored in the database and common for all users. When the attacker gets access to the database via SQL injection, he can't find out S2. That's why the attacker can't calculate H(PP1+S+S2), H(PP2+S+S2),...H(PPN+S+S2). Consequently, dictionary attack is prevented. It works if the attacker has only access to the database. When the attacker gets access to the machine, he can learn the S2 and perform a dictionary attack.

7. Multiple hashing

The idea of multiple hashing is to slow down the attacker trying to find out the password. The hash function is calculated many times in the loop (for instance N). It makes the authentication longer, but acceptable by the user. On the other hand, the attacker is slowed down by a factor of N. It might also lead to denial of service due to longer processing time.

8. Offline vs. online attack

Hashing and salting are used to slow down the attacker, who broke into the database and knows H(P) or S and H(P+S). Then the attacker launches offline attacks mentioned above to find out P.

The attacker can also launch an online attack – he might try different password combinations (brute force or dictionary attack) in order to get access to the system.

A maximum number of unsuccessful log in attempts can be set. CAPTCHA might be displayed, when this limit is reached or the user's account can be blocked for a pre-defined period. Another option is locking the user's account. These exemplary countermeasures can be used to spotthe intrusion attempts.

9. Password managers

The user doesn't have to remember all passwords. He can use one password (the master password) that encrypts the whole database of passwords. When the user wants to get a specific password, he enters the master password and the storage is decrypted. Then the user finds the password he is looking for. It improves security of the static passwords – the user has to remember only one strong master password and other passwords can be strong automatically (randomly generated).

It is assumed that the user chooses strong master password. Otherwise, the attacker can use dictionary attack to find out the master password, when the database is stolen.

10. Phishing, keylogging, shoulder surfing

Not everyone understands how certificates work. Then it might be enough to send the users a link to a domain not protected by SSL/TLS that looks similar to the legitimate one. Some users will not notice the difference. If they click the link, the attacker will be able to collect their passwords.

Let's assume that the user's machine is infected. The keylogger can learn the user's passwords for many systems while he is authenticating. Then the password manager doesn't help – the malware gets the master password, which gives an access to all passwords.

There might also be people looking over the shoulder of the user to get his password (shoulder surfing).

It is enough for the attacker to get the static password of the user once. Then he can impersonate the user for an unlimited time (when the user never changes the password) or for a specified period of time (when the user changes the password periodically).

11. Zero Knowledge Proof

The authentication server can generate a challenge and encrypt it with the public key of the user. The user is the only one, who can decrypt it, because only he knows the corresponding private key. The user decrypts the challenge and sends it to the authentication server. The authentication server checks whether the challenge it has received matches the one previously generated. If they match, the user is authenticated. This is called zero knowledge proof – the user doesn't have to show the private key in order to prove that he holds this key. Only the user knows the private key. That's why the non-repudiation is satisfied. The private key can be used to get an access to many systems.

Malware might steal the private key from the user's computer. Once it happens, the security is broken. That is why the private key should be stored on a smart card.The private key doesn't leave the smart card while the challenge is being decrypted.

12. Conclusions

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The static password is the most popular and the least secure authentication method. Hashing and salting can slow down offline attacks. Online intrusion attempts can be detected by setting a maximum number of unsuccessful log in attempts. A password manager can improve security of the static passwords. Offline and online attack countermeasures minimize the risk, but don't solve the problem; sometimes users take the passwords down and stick them on the monitor, or have other insecure password management practices. Malware, phishing, shoulder surfing can be used to learn the user's password. Once the static password is caught by the attacker, he can use it within its lifetime. Zero knowledge proof provides non-repudiation and allows the user to get an access to many systems using a single private key, which should be stored on the smart card.

Dawid Czagan
Dawid Czagan

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).