MD5crypt Password Scrambler Is No Longer Considered Safe 212
As reported here recently, millions of LinkedIn password hashes have been leaked online. An anonymous reader writes "Now, Poul-Henning Kamp a developer known for work on various projects and the author of the md5crypt password scrambler asks everybody to migrate to a stronger password scrambler without undue delay. From the blog post: 'New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days. The default algorithm for storing password hashes in /etc/shadow is MD5. RHEL / CentOS / FreeBSD user can migrate to SHA-512 hashing algorithms.'" Reader Curseyoukhan was one of several to also point out that dating site eHarmony got the same treatment as LinkedIn. Update: 06/07 20:13 GMT by T : An anonymous reader adds a snippet from Help Net Security, too: "Last.fm has piped up to warn about a leak of their own users' passwords. Users who have logged in to the site were greeted today by a warning asking them to change their password while the site investigates a security problem. Following the offered link to learn more, they landed on another page with another warning."
Re:Brute-force was solved decades ago. (Score:2, Insightful)
So, if someone steals your database full of hashed passwords, you just call them up and ask them nicely to slow down their brute force?
Re:Brute-force was solved decades ago. (Score:5, Insightful)
If you get your password wrong, you can't try again for 1 second. Every failure doubles the time required to try again.
Why doesn't everyone do that?
It doesn't help if your attacker has got hold of the list of hashes.
1. Steal hashes
2. Brute-force on your own system/cloud/botnet/whatever
3. Use password
Re:Brute-force was solved decades ago. (Score:1, Insightful)
The problem is if the hashed password database is recovered (as in LinkedIn). Then you can run hashes as fast as you want to.
For instance, the SHA-1 hash of "password1" is e38ad214943daad1d64c102faec29de4afe9da3d -- you cannot reverse "e38ad214943daad1d64c102faec29de4afe9da3d" to get "password1", but you can guess things until you get "e38ad214943daad1d64c102faec29de4afe9da3d" and then you know that my password is "password1".
Re:Brute-force was solved decades ago. (Score:4, Insightful)
Because whoever downloaded the database of hashes will probably ignore your request that they only check one password per second.
Re:2004 called they want their news back! (Score:5, Insightful)
Indeed.
The effort to use a more secure hash is generally trivial, but there's still going to be a lot of people who either know and don't, or don't know.
For the first category, nothing you can do about it. Same people running wep on their wifi. They either don't see anyone ever attacking them, are tied in due to old systems, or don't care.
For the second category, stuff like this may help. I think at this point most people know md5 isn't as secure as once considered, but I don't think people realize just how insecure it is becoming. In peoples minds it's still in the "theoretically if someone was really dedicated they could break it" stage.. whereas it's actually entering into the "feasible to do it on large scale" stage. Breaking that perception might speed things along.
Re:Unsalted hashes are worse. (Score:4, Insightful)
Yes, but slowing down a brute force attacker by a factor of the cardinality of the set of unique salts will almost certainly be a huge win, especially if the salts chosen are long enough where salt-collisions are rare to nonexistent. 6.5 million accounts were compromised; requiring someone to have 6.5 million times as much compute resources to compromise all passwords is nothing to sneeze at.
Of course, salts don't help you in the case where a well determined attacker isn't after 6.5 million accounts but rather just one specific account, but that's not what they are intended to help with.
Authentication and Identification servers (Score:4, Insightful)
Whether MD5 is "secure" or not is irrelevant.
Machines that are accessed by users should not be the same servers storing the account security data. One of the key benefits to domain authentication provided by Kerberos and it's relatives is that the authentication data is isolated on a server that is supposed to be doing nothing but authentication and authorization.
That makes it damn hard to break into the security server to steal the password lists in the first place, regardless of what algorithms are used to hash the passwords. The problem is a poorly designed system, not a poorly equipped algorithm.
Did ZDNet buy Slashdot? (Score:4, Insightful)
First of all, WTF is a "password scrambler"? If you feel the need to dumb down the phrase "hash algorithm", you're probably submitting to the wrong site.
I LOLed at this article[1] on ZDNet this morning for its sensationalist, lowest-common-denominator "OMG computer hackery stuff" reporting, with its implied link between MD5's weakness (which has been known for years) and the LinkedIn breach (even though they use SHA1), and its ridiculous accompanying screen cap (running user-space tools while logged in as root, which no security-minded user would ever do, but hey "root@" at a shell prompt with lots of hackery output looks l33t).
And now here's basically the same thing on Slashdot. Yawn...
[1] http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317 [zdnet.com]
Re:Unsalted hashes are worse. (Score:2, Insightful)
Not really. Password reuse is so ubiquitous that cracking those hashes is still worth something. If someone has the same password on FooBar.com as they have at their bank, or on Facebook, or on $PICK_YOUR_POISON, cracking the hash at FooBar.com just gave the attacker the keys to something a lot more useful.
Hell, it's so widespread that attacking little piss-ant sites is worth it specifically to get a bunch of passwords to try elsewhere. At that point, the fact that your server's been pwnt is the least of anyone's problems...