Advice Salting passwords

[Access Denied]

My mate has salted his password and won't tell me how to do it, the bastard. So I'm asking you guys. How do I go about salting my password so even if someone manages to decrypt the MD5 it'll just give them a useless word?

 

[caLLous]

He has salted his own password? I thought it was something that the server does when storing users' passes. Adding a "salt" to the start (or end, or whatever) of the stored pass so it won't be susceptible to "rainbow (and other) attacks".

 

[Deebs]

Whatever you do do not use MD5! Use a decent hash like SHA256 or better yet bcrypt with a good number of rounds.

 

[Raven]

If you want to look after your own passwords, use something like lastpass. But unlike me, write down your lastpass password and store it somewhere safe!

 

[caLLous]

Lastpass + Google Authenticator for me.

 

[SheepCow]

Normal way when using salts is to generate a random salt (e.g. "arseface"), hash it, add the password on the end, hash it, save the salt and the final hash.

You can do more original things, like spread the salt out. There is no way to "decrypt" MD5, it's not encryption it's hashing - but as Deebs implied, there are many MD5 rainbow table websites about (rainbow table is where somewhere has put every combination of everything through MD5 and stored the result, then if you give them a result they can just look up what hashed to it)

 

[Access Denied]

Hmm, interesting replies. I was under the impression that hashes of say 20 character words would take far too long to crack. Like a lifetime.

 

[Deebs]

Not really especially when you can build a brute force system capable of doing billions of passwords per second for around £2000. The only secure system is to use one that implements password stretching (aka work rounds) which can introduce delays into bruteforce. Something like bcrypt

 

[Access Denied]

Meh, tbh I'm quite happy with my current password. 23 characters long, upper-case, lower-case, letters, number and special symbols. Just thougth maybe I could make it much harder to crack with little effort.

 

[Killswitch]

Meh, tbh I'm quite happy with my current password. 23 characters long, upper-case, lower-case, letters, number and special symbols. Just thougth maybe I could make it much harder to crack with little effort.

I'd be tempted to change it now! If an attacker knows how long your password is, it severely reduces the number of passwords they need to try to bruteforce it

 

[Access Denied]

Yeah but I didn't say what it was the password for did I? I have 5 different passwords!

 

[Keitanz]

I dunno why people are so security crazy over passwords... I can understand things to do with money, but having ridiculously long passworrds for games etc is a tad over the top..

 

[Embattle]

Meh, tbh I'm quite happy with my current password. 23 characters long, upper-case, lower-case, letters, number and special symbols. Just thougth maybe I could make it much harder to crack with little effort.

Do you really have anything that would make any one waste so much time on trying?

 

[Deebs]

I dunno why people are so security crazy over passwords... I can understand things to do with money, but having ridiculously long passworrds for games etc is a tad over the top..

What about for those games which require a subscription and hold your billing information?

 

[Deebs]

Do you really have anything that would make any one waste so much time on trying?

Bank account maybe?

 

[Raven]

I dunno why people are so security crazy over passwords... I can understand things to do with money, but having ridiculously long passworrds for games etc is a tad over the top..

Not really, not when it contains your billing details, home address etc etc.

I would be pretty pissed off to lose any of my MMO accounts and I would be bouncing off the walls if I lost my steam account with 250 odd games on it.

 

[caLLous]

Yeah with Lastpass it just makes it easier. If I sign up for Facebook or gmail or <insert site that needs registration here> it's easier and more secure to have Lastpass generate a fixed length password (16 char, 32 char, etc) with caps, lowercase, numbers and special chars for each site and use my one special password to unlock it than it is to use the same password for each and every site. Especially with two-step verification (using a yubi key or keyfiles or google authenticator or whatever).

 

[Killswitch]

Not used Lastpass but it seems very similar to KeePassX which I use. What I'm waiting for is for a standard for password complexity (so that all sites support special characters and suchlike). Then the browser could detect a password field and automatically hash the entered password (using the domain name and a "browser unlock" password as a salt) and submit that to the server. Your actual password never leaves your PC.

That way you could use simple passwords and/or the same password for every site. Then if some idiot was storing your password unencrypted or you logged into a non-SSL site at a public hotspot and a bad guy stole it, they'd still only have your password for that one site.

For example, let's say my password of choice is "kittens" and I use it everywhere. My browser unlock password is something a bit more complex like !rZ&Ma5h (bangers and mash! geddit?!?). I register on forums.freddyshouse.com and type "kittens" into the password field. The browser recognises it's a password field and so hashes my password "kittens" with the salt "!rZ&Ma5h+forums.freddyshouse.com" and submits the resulting password "$1$hhugiqoc$rcsnku1qxdbxyee1uaeee0". If I then register at www.mybank.net, the password the browser submits is "$1$q4g0pw4c$cue1wky9qgrodmex3p1j3/".

So I need to know a single complex password and a single simple password. I enter the complex password once when I sit down at my PC and then enter my simple password at every site. I can even let my browser remember my simple password safely.

 

[Keitanz]

What about for those games which require a subscription and hold your billing information?

It's not like you can login someone's Dark age of Camelot account and see all their credit card details to access their account though is it? though that may be the case, I may have just never seen it :O

 

[Keitanz]

Not really, not when it contains your billing details, home address etc etc.

I would be pretty pissed off to lose any of my MMO accounts and I would be bouncing off the walls if I lost my steam account with 250 odd games on it.

I agree about Steam, but that's why I still have the code thing enabled on my account.. so if someone from another computer tries to login, it requires a key which Steam sends to me email, so they need to get both my email password and steam password..

But anyway, if someone was really determined, it doesn't really matter how secure your password is, they will always be able to crack it.... just the more secure you make it the longer it takes them.

 

[Embattle]

Bank account maybe?

Not really worth some of the extreme methods being proposed, then I do have to use a Secure Key any way with various other information.

 

[Killswitch]

But anyway, if someone was really determined, it doesn't really matter how secure your password is, they will always be able to crack it.... just the more secure you make it the longer it takes them.

Like encryption, the point of a password isn't to protect your information for all time, it's to either;

1) Protect it past the useful lifetime of the information/resource.
2) Discourage opportunistic people from stealing YOUR stuff. Like a crowd running away from a tiger you don't need to outrun the tiger itself, just make sure you're not the slowest person there!

Of course, you're always at the mercy of technology. If people in the know are right then passwords/encryption that should be secure until long after the heat-death of the Universe could be crackable in minutes with quantum computing.

I tend to be pragmatic about things. If the government or Microsoft want my secrets, they will almost certainly get them. If nothing else, their RubberHose-256 or PipeWrenchToTheKnees-512 decryption tools trump my super-secure passwords every time. Realistically though, I just need to make sure that I'm in the top 5% or so of best security practices and I'll never have to worry.

Oblig. XKCD http://xkcd.com/936/ and http://xkcd.com/538/

 

[caLLous]

But anyway, if someone was really determined, it doesn't really matter how secure your password is, they will always be able to crack it.... just the more secure you make it the longer it takes them.

Not necessarily true.

Operation Satyagraha
In July 2008, several TrueCrypt-secured hard drives were seized from Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried for five months (without success) to obtain access to TrueCrypt-protected disks owned by the banker, after which they enlisted the help of the FBI. The FBI used dictionary attacks against Dantas' disks for over 12 months, but were still unable to decrypt them.

If you encrypt a truecrypt container with a good strong password and a good hash and encryption algorithm AND key files, to all intents and purposes (realistically speaking) it is unbreachable.

 

[Killswitch]

Not true.

Firstly "over 12 months" != forever. Secondly I refer the honourable gentleman to the aforementioned wrench. If the government wanted this information badly enough, I think Mr Dantas would have been vanished in fairly short order.

 

[caLLous]

Hey I did put "necessarily" in.

edit; And they can vanish him til the cows come home, it still wouldn't give them access to the encrypted information.