Computer security is one of the hardest things in computer science and engineering. It’s easy to make software today, anyone can do it. Though, not everyone knows how to develop security into their software. Every week I come across insecure solutions and it frightens me, it gives me the willies.
Was looking for a provoking title for this post as I want people to read it. I hope it worked and please keep on reading.
Today I only want to touch upon one issue; passwords. This is an area that affects every one of us and is pretty easy to explain. If you’re a software developer and you read this, make sure you don’t make the same mistakes. If you’re a consumer, make sure you tell your service provider that they need to change their practices. This is a major industrial issue, please raise your voice. If you have little time, please skip forward to the “Learn by Example” section.
Stubbornness or Cluelessness?
Whenever I come across a web site that has a potential secure issue, I contact the offenders and try to explain the problems I’m seeing.
A lot of time, I’m only meet with ignorant support personal that doesn’t understand what I’m saying.
That’s OK, I’m a pretty technical guy and I don’t expect everyone to understand this, there’s no reason for it. But, when they for some reason argues with my request to forward my message to someone technical and responsible for security, I’m baffled.
Many don’t seem to take their customers privacy seriously, and they are reluctant to react to issues.
Next time you come across a web site that has problems, like those I’m about to elaborate, I hope you take the time to let them know you won’t use their service until they improve their systems. What does all of this have to do with Tom Cruise in the photo? I found him when I searched for a tech support photo and he looks just like a tech-support
Username and Password
In the beginning of the computer industry, we rarely cared much for the security on our local machines. We shared the same user accounts and we mainly used different usernames to individualize the computer. We were disconnected and the way we distributed software was with diskettes and later on using CD-ROMs.
The information we stored on our computers was often school and work related, it didn’t contain much personal details or communication. No matter what you put on the computer’s hard drive, it required someone to physically steal it to peek at your data.
Then came the local network, where we hooked up computers in offices and with our friends for a LAN party. Information was spread freely on the networks, sharing games, videos, music. Just as we previously burnt CDs and recorded tapes with music and videos on VHS, we could now share our stuff must quicker and more cheaply than ever before.
Enter the Internet.
Suddenly our local insecure computers are connected to the online digital world. A myriad of software and services was created, in a global mess of information that makes it impossible for anyone to really know who or what you can trust. And everyone want your username and password, it’s their way of distinguish You from Me.
We’ve all heard the lesson that you should make sure your password is a hard one to guess, yet many of us have a hard time coming up with any sensible password that we’ll remember easily. It’s also important to don’t reuse the same password everywhere. As you will understand if you read on…
Please enter your username and password, and we’ll open the door for you and let you into our fine establishment. That’s how it starts, if you’re not already registered on the web site you’re required to fill out, often an extensive, form that tries to capture some personal details from you. Part of this process is filling out your username of choice, password and email address.
This is where the problems starts…
Let’s start with Google’s GMail as our first example. Creating a new account involves filling out the first name, last name, desired login name and password. Additionally, Google wants’ you to pick a “Security Question”? What’s the purpose of this, you might wonder? Does this make you more secure? No, it doesn’t.
There are only four default security questions proposed by Google, and they have a help page that explains what type of question and information you should avoid. Things like your mothers maiden name and other information that is easily discoverable about yourself. You can write your own question, but my advice is to completely forget about the security question, it’s way to easy to put something that someone can guess or figure out.
Then we have a field called secondary email. This is a very nice solution to be able to restore access to a new email account, it’s better than the security question.
If we look at how we humans work, you’ll quickly see that most of the time we will fill out all fields in a registration form, even though we probably don’t need too.
So the issue with this Secondary email field is the following: People without existing email addresses might fill out something in this field, just because they intuitively think it’s required information.
Important: Always make sure you enter the correct email address.
Let me give you a very scary example on what might happen if you write wrong email address when registering a new Gmail account (please excuse the screenshot being in Norwegian).
As the above screenshot is in Norwegian, I will just quickly explain it.
It’s a confirmation email you receive from Google with a confirmation code that is used if you have any problems with your account in the future, for example if you loose the password. I have received multiple of these emails. With this information, I can take over someone else’s email account and read all their communications.
You should be and this is only the beginning… I receive invoices, usernames, passwords, photos, personal messages and what not…
Phone subscription invoices…
Lego account activation… what if your kid filled out personal details, like their full names, address, birth date and other details? That information will be accessible by the person who receives this email.
Online Game registrations that sends passwords in clear text…
Property descriptions… that probably was suppose to go to someone, somewhere…
I could be a Gladiator… I loved the movie, I already hate the online game… and you can see why I hate it.
Love to watch photos… especially the dull and boring family photos from last Christmas.
Guess he won’t see that flat after all…
I’ve received invitation to board meetings, mobile MMS messages sent by mail, photos, responses to job applications, all kinds of crazy stuff. Let me give an example where I actually, for the purpose of this article, click the activation link just to see what kind of information I could stumble upon.
Learn by Example
Disclaimer advisor: I would never try to hack or steal anything from anyone. My intentions in this example is only to show how vulnerable you can be when a service provider doesn’t care about your personal information safety. This is the first and only so-called activation link I’ve clicked that did not belong to me. When I went through with this example, I was scared how easy it was and it was only one of potentially many examples I could do. I had to censor the names, details, URLs to protect the innocent.
1. You register on a website, by filling out your personal details. Potentially information like full name, home address, phone number and finally your password. Which you probably used before on another website as well.
2. This is where things get’s problematic, I own the email address that the user supplied. If I where an evil system administrator, I could potentially steal this email as it hits the servers. There are many ways I could potentially get hold of the specific email or the users email account. Do never presume that your emails are secure.
3. Someone receives your confirmation email about your account. Sometimes this email contains the original password in clear-text. Sometimes it require you to activate the account to “prove” that you are the owner of the email account.
4. After clicking the activation link, I come to the website. Some services actually automatically log you in at this step. This service did not, so I had to use the “recover my password” functionality.
5. I then receive email with a password. Some service will NEVER expose your original password, which is what they never should. When you forget your password, a service should return you an auto generated password. The service in question, returned me the original password that another person had used.
6. Login to the website and check out the users profile too see if there is any interesting information. What I got from this service was full name, birth date, phone number and at the end, there is a empty field for bank account number.
7. I was surprised to see there is a password and confirm password text field on the user profile page. It made me think that possibly the website renders it’s users passwords in the HTML source. And surely they did.
8. I know have this individuals full personalia. Since I have the persons phone number, I can validate that everything is correct, and it is. There are so many ways one can utilize this type of information. The person had an income of approx. $53,000 in 2007, thanks to the public Norwegian tax lists. I know what interests he has and what he looks like, from his Facebook profile photo.
9. I’m not going to take this any further, what I potentially could do is to login to the individual’s Facebook account, as he is probably using the same password there…
The scary part of this whole example is that this was done using an online auction website, which probably have a lot of traffic and users. There are just so many security mistakes done on this example that I’m not believing it. They handle VISA and MasterCard transaction, they don’t use HTTPS/SSL for anything. They have probably outsourced the VISA/MasterCard transactions, I hope.
Can you consider what would happen if their database was stolen, with all this information available for all their customers?
Clear Text Passwords
This is the most common mistake made by developers, and it amazes me that there are services out there that still relies on storing your password in clear text. Let me illustrate how this works.
1. User enters a web service and registers with the credentials.
2. Credentials are sent over the Internet, often over an secure HTTPS (SSL) connection. Never fill out important information on an HTTP connection.
3. Credentials are stored in the database.
4. The user comes back to the website to authenticate, password is again sent to the web service and it’s validated against the value that is stored in the database.
When you have trouble remembering your password, those services that store your password as clear text, often allows you to retrieve insecurely them by email. Just because you can’t retrieve the password by email, doesn’t mean it’s stored securely, it can still be clear text in the database somewhere.
Secure Password Communication
With the above example in mind, I want to quickly give you an example on how the web service should handle your passwords securely.
1. User enters a web service and registers with the credentials.
2. Every data is sent over a secure HTTPS connection.
3. The web service generates a non-reversible hash based upon your password and any type of hidden secret (algorithmic salt).
4. The hash of your password, which is not reversible except with an awfully powerful computer and a lot of time, is then stored in a database.
5. The user comes back to the websites to authenticate, password is again sent to the web service, but this time it will generate the hash all over again, retrieve the existing hash from the database, and compare those two values. If they are the same, you are authenticate.
There are absolutely no reason why a service provider should require to store your password in clear text. If they have a reason, it better be a very good one.
A lot of web services demands that you enter a fixed password length, sometimes between 4 to 12 characters (Finn.no) and American Express has limited your password too 6-8 characters. Characters and numbers is required, not sure if they allow non-ASCII characters. You don’t need to be a mathematician to understand that a brute force attack on American Express is easy, considering the requirements for user passwords.
You’ve been Hacked!
How do you know that your service has not been hacked or leaked customer details? Every month there are news stories about information that has been lost and systems taken down by hackers. I promise you that we’re just seeing the tip of the iceberg in this regard. Do you really think that hackers will tell anyone that they’ve gained access to your information?
Spotify was recently hacked and they published a letter to all their subscribers. Luckily for us users, they follow best practices and did not store your passwords as clear text, only as an cryptographic hash. This ensured a minimal consequence of Spotify being hacked. There is today more than a million users on Spotify, consider the consequences if they didn’t do security properly?
If you uncover a service that has a potential to leak any personal information, please inform those in charge and make sure they change their practices. I do it all the time, and it does make a difference.
That’s it and make sure you follow some best practices regarding your passwords.
Copyright disclaimer: “Passwords are like pants” photo by Richard Parmiter and licensed under Creative Commons. Photo of "Tom Cruise by banky177 and licensed under Creative Commons.