[ISN] eHarmony data breach lessons: Cracking hashed passwords can be too easy

From: InfoSec News <alerts_at_private>
Date: Tue, 10 Jul 2012 04:06:07 -0500 (CDT)
https://www.networkworld.com/news/2012/070612-eharmony-data-breach-260709.html

By Ellen Messmer
Network World
July 06, 2012

Last month the dating site eHarmony suffered a data breach in which more 
than 1.5 million eHarmony password hashes were stolen and later dumped 
online by the hacker gang called Doomsday Preppers. The crypto-based 
"hashing" process is supposed to conceal stored passwords, but 
Trustwave's SpiderLabs division says eHarmony could have done this 
process a lot better because it only took 72 hours to crack about 80% of 
1.5 million eHarmony hashed passwords that were dumped.

Cracking the dumped eHarmony passwords wasn't too hard, says Mike Kelly, 
security analyst at SpiderLabs, which used tools such as oclHashcat and 
John the Ripper. In fact, he says it was one of the "easiest" challenges 
he ever faced. There are many reasons why this is so, starting with the 
fact the cracked passwords may have been "hashed," but they weren't 
"salted," which he says "would drastically increase the time it would 
take to crack them."

He points out that hashing the passwords with a crypto algorithm is a 
good start to scramble the password, but by adding the "salt" of a 
random string in the process, the "salted hash" is far stronger 
protection. eHarmony was also using the MD5 format, which is considered 
somewhat weak by cryptographers today, Kelly adds.

Other aspects that made the eHarmony password crack so easy is that 
"they were storing the passwords in case-insensitive mode," says Kelly. 
"They eliminated the upper-case letters," adding that this drastically 
reduced the time to crack them. SpiderLabs acknowledges the possibility 
that the attackers who hit eHarmony may have changed some passwords 
since no single password was found more than three times. The most 
popular length of password was seven characters, SpiderLabs said.

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
Received on Tue Jul 10 2012 - 02:06:07 PDT

This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 02:13:11 PDT