Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities.
Let me demonstrate:
123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese
These 25 passwords were used a total of 13,411 times by people with Gawker accounts. The first one – 123456 – was used over two and a half thousand times alone.
How do we know this? Because every one of these passwords and hundreds of thousands more were stolen from Gawker last month and released into the wild where they are now readily accessible. Because people reuse their credentials, Gawker’s approach to application security didn’t just compromise their own data, it compromised an untold number of other applications.
The damage doesn’t end at Gawker
Gawker obviously screwed up on a fairly grand scale. There’s a lot of commentary out there about what they did wrong and how it lead to such a comprehensive breach, but what’s really interesting is the damage done beyond Gawker.
Shortly after the Gawker hack, Twitter become flooded with Acai spam. Why? Because evil-doers simply took compromised usernames, email addresses and passwords from Gawker, plugged them into Twitter and guess what? Many of them worked!
Of course the problem here is human in that many people simply create themselves a master username and password and reuse these credentials everywhere. There’s no arguing this is a big security no-no but there’s also no arguing that there’s very little we, as software developers, can do about this. Federated and second factor authentication services are great, but let’s face it – they have their own issues and how often are they actually used?
How many of the passwords above look “strong”? How many look like they could feasibly have been used on other websites? Other than the “gizmodo” one, I’d say the likelihood of reuse is rather high. Even the founder of Gawker used the same eight digit password for Twitter as he did his own company’s website!
In fact, the likelihood of password reuse was sufficiently high for LinkedIn, Yahoo and Blizzard (and probably others) to request potentially affected customers to reset passwords on their sites. This is serious indictment of internet security practices as it acknowledges the high propensity for password reuse and concedes that once an individual is compromised in one location, chances are they will be compromised in many locations.
Your responsibility goes beyond your application
This brings me to the point of this post; your responsibility stretches beyond your application. The do-gooder side of me would call this a “social responsibility”. The more pragmatic side would simply point out that the impact of the breach on Gawker’s customers became significantly worse when they were required to take action on totally unrelated websites. If I was a Gawker customer, which as you can now discover for yourself, I’m not, I’d be pretty unimpressed at the impact on my LinkedIn and Yahoo accounts.
Many people may not have cared too much that the account they use to leave comments on a media site was breached. But once the account they use as an essential part of their online identity – something potentially responsible for their reputation, job opportunities, relationships – became breached, well that’s a whole other story.
Here’s the sort of statement that worries me:
The information on our site isn’t that sensitive so security isn’t too important
I’ve seen this sentiment many, many times before and on the surface of it, it makes sense. Why bother investing in robust encryption, forcing strong passwords and implementing transport layer security when all you’re protecting is someone’s ability to comment on a news article? It’s not their bank account or anything, right?
Well, it could be. How many of those Gawker passwords do you think match up with passwords for accounts where people do care about security and they are protecting something valuable? Twitter, Facebook, Gmail, PayPal – any conceivable online service that requires no more than a username and password and let’s face it, that’s most of them.
Are you being a responsible developer?
Here’s an easy test:
- Are passwords stored as a salted hash using secure cryptographic storage (“secure” is the operative word and it’s what Gawker didn’t do)? There should not be any facility to retrieve a plain text password from the system. And you should never be able to just browse through and read your users’ passwords.
- Are there robust, minimum password requirements? None of the top 25 Gawker passwords would be classified as “robust”. Even just a reasonable minimum length and more than just one character type would exclude all but one of the top 25.
- Is transport layer security such as SSL being used? Credentials (and arguably entire sessions in the wake of Firesheep), should not be transferred over unencrypted networks. It’s just too easy to get hold of them.
Of course web application security goes well beyond these three points alone but they’re usually the most frequently overlooked in the “my data isn’t sensitive argument”. They’re also very easy to implement, at least in the .NET world. The ASP.NET membership provider natively handles the first two and what’s an SSL certificate cost these days? Less than $70 a year from Instant SSL and a little bit of coding work? Many other popular products which include account management facilities are also cognisant of good password practices.
Particularly for the password strength test, you’re not only being a responsible developer, you’re providing your customers with a greater degree of protection from a Gawker style breach. Once again, almost none of those top 25 passwords would meet any reasonable definition of robust and would be useless on any site enforcing this standard.
I don’t buy the “barrier to entry argument” either; if the difference between someone signing up to your site and being an active user or walking away and never coming back literally comes down to something as simple as a few different character types, was this person really going to offer you any value? Yes, I know the likes of behemoths such as Facebook and Twitter are very liberal in this regard, but really, should they be? And doesn’t almost everyone have at least one account where the password isn’t a complete free for all?
The other issue to consider – and this is the totally selfish one – is that if one of your users had their account exposed in the Gawker attack and those credentials were then used – and exploited – in your site, who do you think the customer is going to blame? Gawker was high profile but the exact same thing is happening every day on a micro-scale without the sort of press that Gawker got. So who is your user going to point the finger at first when they find their account on your site has been compromised? And who’s going to have to deal with it?
Of course the password rule argument is a band-aid solution at best; people can still reuse strong passwords. The difference is that they’re far less prevalent and if they’re encrypted properly, they take a hell of a lot longer to crack. It’s a small but important step in the right direction.
What’s stopping you?
No, seriously, what is stopping you from meeting these three tests? Leave me some feedback – is it the effort in implementing? Is there a prohibitive cost factor? Are you concerned about performance? Is there really a usability factor?
Personally, I’ve protected myself by doing what we all know we should be doing; using strong, unique passwords on every site to ensure no single point of failure. But I, and quite likely you too, have a far greater role to play in ensuring basic, good security practice becomes pervasive. Because when you don’t do this, you not only jeopardise your own application, you jeopardise every other application your users frequent.
Your responsibility is not only to protect your application data, it’s also to protect your customers’ identities.
10 comments:
The non-use of SSL by major websites to protect personal information amazes me.
In the EU, personal data is protected by local Data Protection legislation which derives from the European Data Directive.
Here are quotes from the UK Information Commissioner's website and the Irish Data Protection Commissioner's website. These are the bodies responsible for the legislation in those two countries. Both of these would to me suggest that personal data should be protected using SSL....so why don't they?
* * *
"Question. We collect personal information through our website. Do we have to use an encryption-based transmission system?
Answer. You are responsible for processing personal information securely. You must adopt appropriate technical and organisational measures to protect the information you collect. It is difficult to see how you could do this without having a secure, encryption-based transmission system if the personal information is sensitive or poses a risk to individuals"
Source: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf
* * *
"Transmission over external networks, such as the internet, should normally be subject to robust encryption."
Source:http://www.dataprotection.ie/viewdoc.asp?DocID=39
Please note that Gawker stored only salted traditional crypt(3) and bcrypt password hashes - never plaintext. See my post:
http://tech.gawker.com/5721670/gawker-password-management-qa
For those contemplating their own password hashing scheme, I think this Hacker News thread is a must-read:
http://news.ycombinator.com/item?id=2005017
I think the key with Gawker was the lack of "secure" cryptographic storage. Sure, they had "encryption", it just wasn't done very well!
Jeff Atwood has a nice summary here: http://troy.hn/evDSfa
"The odd choice of archaic DES encryption meant that the passwords they saved were all truncated to 8 characters. No matter how long your password actually was, you only had to enter the first 8 characters for it to work." - ouch!
I absolutely don't want to start any sort of argument here, but facts are facts. Gawker is in an indefensible position; however, this particular article is wrong about the details. (See my post.) Gawker did not store passwords nor did they "encrypt" passwords with DES. Gawker did exactly what he suggests: passwords stored with salt and a hash. There's a big difference between DES symmetric encryption and crypt(3), which is based on a modified form of DES. Anyway, you don't have to rely on my statements - there are comments on the post that point this out too. The Hacker News link I present also describes how many seemingly secure password hashing schemes like MD5 + salt are, in fact, less secure than crypt(3) because they can be computed much faster.
Thanks for the clarification Matt. After making a conscious attempt not to talk about the specifics of the attack in my post without properly researching the details, I've gone and done it in the comments!
The focal point for me remains the impact on apps well outside the realm of Gawker and on that basis the details of the attack don't change the context.
No problem. The points in your article are well-taken. Lots of security and policy failures at Gawker led to the compromise of the password hashes - they should never have been exposed to be cracked in the first place. Still, even much maligned crypt(3) protects the more complex passwords. I can only guess that people still have EC2 instances still working on cracking them.
No problem. The points in your article are well-taken. Lots of security and policy failures at Gawker led to the compromise of the password hashes - they should never have been exposed to be cracked in the first place. Still, even much maligned crypt(3) protects the more complex passwords. I can only guess that people still have EC2 instances still working on cracking them.
The non-use of SSL by major websites to protect personal information amazes me.
In the EU, personal data is protected by local Data Protection legislation which derives from the European Data Directive.
Here are quotes from the UK Information Commissioner's website and the Irish Data Protection Commissioner's website. These are the bodies responsible for the legislation in those two countries. Both of these would to me suggest that personal data should be protected using SSL....so why don't they?
* * *
"Question. We collect personal information through our website. Do we have to use an encryption-based transmission system?
Answer. You are responsible for processing personal information securely. You must adopt appropriate technical and organisational measures to protect the information you collect. It is difficult to see how you could do this without having a secure, encryption-based transmission system if the personal information is sensitive or poses a risk to individuals"
Source: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf
* * *
"Transmission over external networks, such as the internet, should normally be subject to robust encryption."
Source:http://www.dataprotection.ie/viewdoc.asp?DocID=39
I think maybe you make a different point than you intend here; it seems like perhaps the exact OPPOSITE should be true. If Gawker had implemented password controls to force users to *reduce* entropy, to the point that no secure website would accept ANY allowed gawker password (e.g. your password must be 5 digits 0-9) as their own password, that would reduce the value of any data gleaned from a gawker database, since users would be unable to use their too-simple gawker passwords for any other purpose.
That's a tough argument to make - allow your passwords to be weak with the assumption that people will take advantage of that opportunity whilst passwords on other sites are strong!
Post a Comment