Do passwords matter?
by Paul Asadoorian - Product Evangelist for Tenable Network Security - Thursday, 28 June 2012.
You don't have to look very hard to find an article discussing password breaches. Recently, there was a lot of buzz around LinkedIn,, and eHarmony, three very large sites suffering from passwords being leaked to the public. This is not a new phenomenon (earlier this year everyone was all up in arms about the Zappos password breach), but one that continues to garner attention in the media.

However, what most journalists are saying about password breaches is likely different from what I am about to tell you - it simply does not matter how strong your password is, how it is encrypted when stored by the provider, or how the transport layer is encrypted (e.g., SSL). Here's why:

How it's encrypted matters, but no one does it right

Many websites today, primarily for performance reasons, are using traditional one-way hashing algorithms to store your passwords (such as MD5 or SHA1). This means you give the website a password, it computes a cryptographic hash and stores it in a database of some kind. The plaintext password should never be written to disk. The next time you login, the website computes the hash in the same manner and compares it to the value stored in the database.

This is all well and good, until someone obtains a copy of the password hashes. Obtaining the hashes, without any other protections, such as password salting, two or more users with the same password will have the same hash value. This allows attackers to generate very large databases of already-hashed passwords and make a comparison. Hardware on graphics processing units (GPU) can help accelerate the process.

There are also websites that will provide hash-cracking services (submit the hash to a website and get the cleartext password in return). Several of these sites also use “Rainbow Tables,” a form of lookup tables which takes a bit longer, but allows for smaller tables. A ‘salt’ will help slow down this process, a little. Salts are a random string appended to the password such that user's passwords are different.

However, sometimes developers implement salts incorrectly, and use the same salt for each user or store the salt where attackers can obtain it (or calculate it). Even if salts are implemented correctly, the processing power of GPUs can be used to crack the salted password hashes in more time, using even larger pre-computed password dictionaries than ones without a salt. What does all this mean? Likely, at least a few websites (internal to your organization or external) are storing your password using a hash that can be reversed in a relatively short timeframe, depending on the hash used and computing power of the attacker.

"Password complexity matters not"

First, let us take a look at some of the password policies on many of the websites on the Internet. Many do not even let you set a strong password, keeping you within seemingly arbitrary limits of length, and enforcing ridiculous complexity characteristics, such as making you use a least one number, one special character, and one uppercase letter. What happens in this case, with a website requiring a minimum 5-character password, is the user ends up with a password of !234F. When passwords such as this are cracked, it’s fairly easy (Letters, numbers and symbols have about 10 billion possible combinations, and attackers can exceed 1 billion passwords per second).


Stagefright 2.0: A billion Android devices could be compromised

Most Android users are, once again, in danger of having their devices compromised by simply previewing specially crafted MP3 or MP4 files.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 2nd