For the past few weeks, we’ve witnessed a record number of compromised user accounts sprouting on the Darknet. Among the victims, social networks seem to be a preferred target (see chart below) as the following data breaches resurfaced: Tumblr (65 million user accounts), LinkedIn (164 million user accounts) and – the hot potato of the moment – MySpace (360 million user accounts). The leaked passwords (except for those registered on Tumblr) have something in common and that is – they were poorly stored, demonstrating a disappointing cyber-hygiene of the Web 2.0 giants. More so, users who are frequently accessing these platforms are now strongly advised to change their passwords ASAP.
Source: Have I been pwned
And the prize for the highest data breach recorded in history goes to… MySpace. From what we know so far, the hacker behind this cyber attack is apparently the same one who is currently trying to sell the database containing LinkedIn stolen passwords on a market place of the Darkweb, called the The Real Deal. Not only is the culprit the same, but the peculiarities of the stolen data are almost identical: both databases contain user accounts that are several years old and the associated passwords can be easily retrieved.
But if these hacks occurred quite a while ago (we still do not know the exact date), why should the topic interest us at all? Even though many of these addresses are invalid now, a few were still found to be accurate and the fault lies undeniably with MySpace and LinkedIn officials, who did not deem it important to better protect their users’ sensitive data. That being said, who are the real culprits? The pirates who took advantage of this vulnerability or the social networks that used password storage methods incompatible with current standards?
A string of characters cannot protect you…
…as long as it is stored in plain text on your information system. Best practices require to render password protection non-reversible. One option would therefore be to use an algorithm capable of generating a unique string with a fixed length. For instance, if we were to consider the following hash algorithm and perform the continuous addition of returned data:
2 + 2 + 0 + 9 + 3 = 16
1 + 6 = 7
It would be highly unlikely that we were to stumble upon the original input by reversing the operation. There is an infinite number of possibilities that could return the same value of ‘ 7 ‘.
Obviously, real hashes are much more complex than that. In this case, the passwords associated with the MySpace and LinkedIn user accounts have been encrypted using a SHA-1 algorithm. Although this algorithm should, technically, not allow a reverse operation, hackers can very well obtain user credentials by employing brute force or by launching a dictionary attack (testing if the password hash has already been discovered by someone else).
How, then, should have the owners of these social networks proceeded in the first place?
To avoid having their user data being stolen, it would have sufficed to add to the password a a concatenation of one or more keys (process called “salting”). Then, as a second step, hash the generated string with a stronger hash algorithm, such as SHA-256 or SHA-512 (MD5 and SHA1 are no longer considered to be reliable since cases were recorded when two different strings generated the same hash). In this case, if a hacker tried to crack the data using the dictionary attack, the attempt would not go very far without any knowledge of the “salt” used.
To achieve an even higher level in the protection of your password, repeated hashing is your best bet. Using SHA-256 or SHA-512, then spicing the result with a salt, the output (the newly obtained hash) is then passed again through the initial hash algorithm, at least a few thousand times (10,000 or more). This process is more commonly known as “iteration”.
Your password is like a toothbrush…
You shouldn’t let anyone else use it and you most definitely need to get a new one every six months (cf. Clifford Stoll). Without a doubt, cybersecurity hygiene is a matter than concerns us all, whether we are the CEO of a renown company or, you know, something else. Without further ado, here are a few golden rules about how to best manage your password:
- Choose a strong password. Social networks might not go through the process of salting and hashing a password, but that doesn’t mean that an intelligently crafted one can’t delay hackers, even for just a little. In this case, the minimum requirements are: choosing a password that contains a minimum of 8 letters, alternating between upper and lower case, and including at least one special character or digit. We do hope it is not necessary to repeat the fact that your personal password should refrain from hinting at any of your real-life traits, preferences or belongings (such as your middle name or the name of your cat). We absolutely want to avoid this kind of situation.
- Pay attention to the way you store your password. Under no circumstances must you write it on a post-it or a piece of paper. If you are using a password manager, you might find this article helpful.
- Change your password as soon as you suspect that your account has been hacked. To find out if your account has been breached, simply go on Have I been pwned and run a search of your user credentials. If your account has indeed been breached, change your password immediately. Remember to review all your other accounts were you used the same password.
- Consider alternative methods such as, for example, two-factor authentication of passwords. This is a method which requires you to enter a unique code automatically generated on your mobile phone.
- Quickly update your OS. An updated system is potentially less exposed to vulnerabilities and, thus, prevents hackers from exploiting them.
Good practices exist for all uses of an OS and the Internet in a network; the will is what is lacking. To help you better identify vulnerabilities in the immunity of your information system, we released a while ago a white paper centered on the Top 10 vulnerabilities encountered and how to avoid becoming an accidental hacking celebrity.
Built around a group of security architecture experts and pentesters in 2007, ITrust provides specialized consulting and training in IT security best practices, fostering in users an elevated cyber-conscience. Just last week, we launched a study in collaboration with the ICT Cluster Digital Place in order to gain a clearer picture of how cybersecurity is perceived in the corporate environment. Have a say in it? Fill out our questionnaire here (available only in French).