I Hate To Send This Email

  • Comments posted to this topic are about the item I Hate To Send This Email

  • This is something that does not seem to get talked about much when it comes to reports of logins and passwords being stolen, but how are passwords being stolen? In 2017, is anyone really storing passwords unencrypted?  Or are the hackers able to decrypt them? (This should not be possible - there are ways of encrypting for which decrypting gives an ambiguous/multiple solution, and these should be used for passwords.)  You never need to decrypt a password.  You encrypt the original.  For validation of log-in attempts, you encrypt the attempt the same way.  You check the encrypted attempt matches the encrypted original.  You never need to store unencrypted passwords.

  • Passwords should be hashed, not encrypted.  Encryption is reversible, so is for places where you need to get the original data back. Passwords aren't one of those

    Yes, some are still storing passwords in plain text, or using weak hashing algorithms like MD5 that are trivial to brute-force test.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • GilaMonster - Thursday, March 23, 2017 4:22 AM

    Passwords should be hashed, not encrypted.  Encryption is reversible, so is for places where you need to get the original data back. Passwords aren't one of those

    Yes, some are still storing passwords in plain text, or using weak hashing algorithms like MD5 that are trivial to brute-force test.

    Is there an overview of hashing somewhere that you like?

  • GilaMonster - Thursday, March 23, 2017 4:22 AM

    Passwords should be hashed, not encrypted.  Encryption is reversible, so is for places where you need to get the original data back. Passwords aren't one of those

    Yes, some are still storing passwords in plain text, or using weak hashing algorithms like MD5 that are trivial to brute-force test.

    A salted hash at that!!!

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Robert Sterbal-482516 - Thursday, March 23, 2017 5:11 AM

    GilaMonster - Thursday, March 23, 2017 4:22 AM

    Passwords should be hashed, not encrypted.  Encryption is reversible, so is for places where you need to get the original data back. Passwords aren't one of those

    Yes, some are still storing passwords in plain text, or using weak hashing algorithms like MD5 that are trivial to brute-force test.

    Is there an overview of hashing somewhere that you like?

    The following are reasonable:

    https://blogs.msdn.microsoft.com/ericlippert/2005/01/28/you-want-salt-with-that-part-one-security-vs-obscurity/
    https://blogs.msdn.microsoft.com/ericlippert/2005/01/31/you-want-salt-with-that-part-two-we-need-a-hash/
    https://blogs.msdn.microsoft.com/ericlippert/2005/02/03/you-want-salt-with-that-part-three-salt-the-hash/
    https://blogs.msdn.microsoft.com/ericlippert/2005/02/07/you-want-salt-with-that-part-four-challenge-response/

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Gary Varga - Thursday, March 23, 2017 5:41 AM

    GilaMonster - Thursday, March 23, 2017 4:22 AM

    Passwords should be hashed, not encrypted.  Encryption is reversible, so is for places where you need to get the original data back. Passwords aren't one of those

    Yes, some are still storing passwords in plain text, or using weak hashing algorithms like MD5 that are trivial to brute-force test.

    A salted hash at that!!!

    If we're going to be picky, a salted hash, applied many, many times.
    This is a decent discussion on hashing for passwords: https://www.troyhunt.com/our-password-hashing-has-no-clothes/

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • In many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.

    ...

    -- FORTRAN manual for Xerox Computers --

  • jay-h - Thursday, March 23, 2017 6:25 AM

    In many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.

    That's why a (salted) hash should be used and encryption avoided.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • john.riley-1111039 - Thursday, March 23, 2017 3:32 AM

    This is something that does not seem to get talked about much when it comes to reports of logins and passwords being stolen, but how are passwords being stolen? In 2017, is anyone really storing passwords unencrypted?  Or are the hackers able to decrypt them? (This should not be possible - there are ways of encrypting for which decrypting gives an ambiguous/multiple solution, and these should be used for passwords.)  You never need to decrypt a password.  You encrypt the original.  For validation of log-in attempts, you encrypt the attempt the same way.  You check the encrypted attempt matches the encrypted original.  You never need to store unencrypted passwords.

    A few thoughts.
    Is anyone storing passwords un-encrypted?
    I would assure you some people are. There's plenty of software (Web apps, mobile, etc.) written in 2011, 2010, 2009, 2008, etc.  that hasn't been updated. Hard for some to update databases. I would hope this is the minority, but I would never take that bet.

    Or are the hackers able to decrypt them?
    Yes, certainly some people use symmetric encryption. Some use one way hashes. Some use certificates or strong asymmetric encryption. Doesn't matter. Decryption without keys is always possible, just a question of time and resources. Even if you get multiple solutions, which implies collisions one way or the other. If two passwords can produce the same encrypted text, that's bad. It means I have twice as many chances in guesses to get the password. Plenty of people have one way hashes with this value:
    0x5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
    Can you decrypt it? I bet more than a few of you can tell me what password that is in a few minutes.

    Strong computational powers mean that an 8 character password that we thought was strong in 2010 is no longer strong. I use 12, and am thinking to go to 16, but so many sites have issues with my random, generated passwords. I use separate passwords for every site (finally convinced my wife to as well) because of password loss from sites.

    I wish everyone would allow unicode: https://blog.codinghorror.com/password-rules-are-bullshit/

  • jay-h - Thursday, March 23, 2017 6:25 AM

    In many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.

    +100

    There are people like my Mom that use the same password over and over. Bad choice.

    At least  one of my kids has learned.  He uses  patterns on his phone and a 20+ password for his computer and email.

  • Steve Jones - SSC Editor - Thursday, March 23, 2017 10:47 AM

    Plenty of people have one way hashes with this value:
    0x5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
    Can you decrypt it? I bet more than a few of you can tell me what password that is in a few minutes.

    https://www.google.com/?gws_rd=ssl#q=0x5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8&*

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • When I was studying, my student email account got hacked.
    It was not a pleasant experience and left a bad taste in my mouth...

    Since then I have become more vigilant in on-line security using (off-line) password management software.
    But still - there are more than 50 unique services and/or websites in that list.
    And pretty much none of them enforce some sort of password expiry.
    TeamViewer stepped up their security recently, but only after they got hacked.

    Microsoft Azure offers single-sign-on across multiple applications using your company's active directory.
    My question is: How safe is this?

  • I would say not only are many organisations storing unhashed/salted/encrypted passwords, the majority of organisations are doing this (based on my consultancy experience, anyway). This is one of those things developers shove in quickly, then never come back - a classic case of technical debt, albeit one that could destroy your organisation.

    Steve's point about most people using the same password over and over is all too true unfortunately. The sheer number of things we're expected to sign up for these days doesn't help...I recently completed an inventory of my online user accounts (prompted by the death of a cousin who left no details behind), and I found I'm registered with around 60 sites...and they are just the accounts I managed to remember. Scary stuff...and yes, I use a different password for each of them.

    I wanted to pick up on the point about organisations not restricting password length...can you believe Microsoft limits you to a 16-character password on Office 365? Specifically, between 8 and 16 characters. Not good. Come on Microsoft, take the lead and sort this out!

  • Steve Jones - SSC Editor - Thursday, March 23, 2017 10:47 AM

    A few thoughts.
    Is anyone storing passwords un-encrypted?
    I would assure you some people are. There's plenty of software (Web apps, mobile, etc.) written in 2011, 2010, 2009, 2008, etc.  that hasn't been updated. Hard for some to update databases. I would hope this is the minority, but I would never take that bet.

    There are plenty of brand new applications that store password in clear text. Not hashing and salting passwords is almost as common as ad hoc queries allowing sql injection. One of the biggest issues in my mind is education. So many people want to get into IT because of the pay. This has caused lots of universities world wide to expand to IT programs. And sadly, the "professors" don't have the knowledge or the ambition to teach students the right way to develop applications. It is a vicious cycle because any good Developer/DBA will not go teach at a university because the pay is drastically lower than working in the field. Then we continue to get under-educated graduates into the field and the problem continues.

    _______________________________________________________________

    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic. Login to reply