Link: Light Blue Touchpaper » Blog Archive » Google as a password cracker.
Just when you think it’s safe to go back in to the water… here’s an post I ran across via Slashdot, about using Google as a password cracker.
The Slashdot writer posts "A security researcher at Cambridge, trying to figure out the password
used by somebody who had hacked his website, ran a dictionary through
the encryption hash function. No dice. Then he pasted the hacker’s
encrypted password into Google, and Shazzam — the all-knowing Google
delivered his answer. Conclusion? Use no password any other human being
is ever likely to use for any purpose, I think."
So let me take a couple of minutes to talk about why this is important, and maybe decrypt (no pun untended) the geek speak.
Ok, so we use passwords to authenticate to systems of all sorts, right? You have ATM PINs, passwords for your Email, passwords for your online banking, right? So how do you know if those passwords are secure, and not stored somewhere where someone can get keys to your kingdom? Well, this is traditionally done like this; the passwords themselves aren’t stored on a typical system, but the "fingerprint" of the password is.
The way this works is through something called a one-way hash routine. This basically is a mathematical formula that creates a unique "serial number" from the text that was given to the formula, something like this:
(My Password as Text) -> (Magical Mathematical Hash Formula) -> (Unique Serial Number)
This is important because there is mathematically very little chance that the password text can be "guessed" from the number produced by the formula. And when I mean "very little chance" it means a 1 in the total number of stars in the universe chance of guessing the password, the formula is THAT secure. That’s why it’s called a one-way hash function, because as a practical matter, it can’t be reversed.
Okey dokey, so what does this mean in terms of this article? Well, we know that this formula is secure, so the only way to "guess" your password is through something called a "brute-force" attack, that basically means that I as a hacker will assume that you’re using a weak password; maybe a word in the dictionary, maybe your child’s name, maybe the name of your favorite football team, anything that can be easily guessed; then I just run through EVERY COMBINATION of EVERY WORD until I get a hit, and the system I’m hacking "unlocks."
Going through this process of guessing passwords can take a VERY LONG time (obviously). But what if I had a database of the most commonly occurring "serial" numbers and a cross-reference of the passwords that belong to them? Well, then I don’t have to try to reverse-engineer the password from the serial number using the hash formula, AND I don’t have to GUESS passwords until I "unlock" the system. I can just look up the "serial" number in a database and viola! suddenly I have the password.
"Wow," you might say, "that’s got to be a REALLY big database to contain the serial numbers and passwords for EVERY combination of common words, names, and phrases." That’s absolutely true, and who would have a collaborative database THAT large? Enter Google. Google is essentially the "Encyclopedia Gallactica" of the ENTIRE Internet web space. If it’s on the web, it’s in Google’s database, including the websites of hackers with this type of published information. The thing that makes Google such a powerful tool for you (presumably the good guys), is the very thing that makes it a powerful tool for the hackers (presumably the bad guys).
This is an interesting point, because the Google database is neutral, it really is, it isn’t "good" or "bad," it’s amoral. And it’s for THAT very reason, that YOUR password security is YOUR responsibility! Just like the FLICKR photos of your drunken adventure from college, Google probably has the serial number for the password you’re using for online banking at Citibank.
So how do we combat this? Well, there are a couple of things we can do:
First, use reasonably complicated passwords, I won’t go in to details here because I don’t want to give anybody any ideas, but using both letters and numbers are key.
Second, use passwords that are the maximum length available, if it’s 10 characters, use 10 characters, if it’s 50, use 50.
Third, change your passwords regularly.
Finally, use different passwords for different systems, this doesn’t eliminate the problem, but if your password is compromised it can help minimize the impact.
I know all of this sounds like a lot of work, but cyber-theft and identity theft is a real threat, and you’re really just protecting yourself. Can we eliminate the threat? No, not really, but with some amount of work, and a little diligence, you can minimize the risk.
"The price of freedom is eternal vigilance." -Thomas Jefferson.