Dictionary Attacks 101

I think another point that doesn’t appear to have been made is that the hacker in question evidently knew the account name of an admin at twitter. It’s not enough to know passwords, you also have to know what account to apply them against. So in this case there were extenuating circumstances:

1. He knew an account name of one of the users.
2. That account had a week password.
3. That account also had admin privileges.

I wonder if there is more to this story than meets the eye?

I also agree that consistently bumping the amount of the delay leads to DOS for legitimate users. I can imagine that on any given day dozens of idiots are tyring to login as Obama just for the hell of it. So the delay should be no longer than 10 seconds or so. But this is long enough to twart a standard dictionary attack.

I think the real concern here is that Barack Obama has a twitter account… where does he find time for these things?

Why not use something like this?
http://danger.rulez.sk/index.php/bruteforceblocker/
I’m sure you could make something similar to work with login attempts from a website. Give them so many to try, then after that they can request the password be changed and if they keep attempting to brute force it just block them at the firewall. I know this isn’t an option for larger sites right now because of some visitors being behind corporate or ISP NATs, but I believe that problem will get smaller as we implement IPv6.

Well if you know that every wrong login will take longer then you just use rotate the usernames instead of the passwords, so that this won’t get triggered as quickly.

blockquoteGiven the average user’s password choices – as documented by Bruce Schneier’s analysis of 34,000 actual MySpace passwords captured from a phishing attack in late 2006 – this is a pretty scary scenario./blockquote
This has been pointed out a lot before, but phished passwords are not a valid sample for studying the wider population of users. They might actually be average passwords, but we have no way of knowing this with any certainty. It’s just as likely that the average password in the phished sample is vastly inferior to the password of the average user who was not susceptible to phishing.

I ran a site with 100k members and a 4 char minimum for password. 10% of my users had the password 1234.

I changed the minimum to 6 chars. Later I checked, and 10% of my users had the password 123456.

My car radio has a pin if power is lost and does the increasing delay trick. Ticks me off royally. Like someone would even try to steal a tape deck radio in this day and age!!!

Still - it is very effective.

A few items to note.

Use a locally stored password management tool like KeePass to store all your passwords. These tools can generate strong passwords. It might sound like a pain if you use multiple computers, but you can put the program and database on a USB Flash drive. Portableapps.com has a Portable KeePass, and others.

Passwords aren’t very secure anyway. Many web sites have easily circumvented password reset methods. Use of SSL certificates, or private keys is much stronger, especially if they are passphrase protected as well. With a passphrase required to unlock the certificate or key, you now have two-factor authentication, which requires something that you know (password) and something that you have (private key file).

OpenID provider myopenid.com allows use of a client certificate to authenticate. It doesn’t support a passphrase, but the cert is installed in the client browser. A revokation method is available as well if you suspect your private key has been compromised (ie, your laptop was stolen).

@Jasmine
Barack only used the twitter account during his campaign to communicate to voters. Post election he hasn’t used it at all (too busy) and for purposes of the Presidential Records Act, which puts his correspondence in the official record and ultimately up for public review, and the threat of subpoenas.

it will block, won’t get returned to the pool, and you open up your whole site/app pool to a very easy DoS.

I think the delay should not hold the connection open, it should terminate with a message that the user should retry in X seconds - whether the password was good or not.

Let’s forget the English language. Let’s say any user could have a password with any of the 96 printable ASCII characters and that password could be any length between 1 and 40 characters. Two questions:

1). How many possible passwords could there be?
2). How long would it take for a new computer to go through all possible combinations?

BONUS:

3). If I was a serious hacker, would I only use a single computer to crack the password or use a whole rack full of servers?

For answer #1, I am not sure how many possible passwords there would be. You’d have to add all combinations between 1 character and 40 characters to figure that one out, and I am just to lazy to do it. But it’s safe to say there are a whole lot of them.

For answer #2, I would say it shouldn’t take longer than a week or two to go through every single one of those combinations. Buy enough computers, and you could do the crack in one day no matter how obscure the password.

There was a time when Unix use to store the encrypted password visible in the /etc/password file. Hey, it’s encrypted., everyone thought, How could that be a security hole?. Sure, someone could use a supercomputer to figure it out, but a $3000 IBM PC? It would take thousands of years. Besides, they don’t have enough memory to pull it off.

Well, those PCs got faster and faster, while memory and storage grew from kilobytes to megabytes to gigabytes. Enter the first dictionary attacks. You could easily encrypt an entire dictionary, run a hash from each encrypted entry to each cleartext entry, and then find a match in the /etc/password file.

Soon, the passwords were stored in a root only acessible file, users were encouraged, and sometimes required to add in numbers and other non-alphabetic characters, have at least one character that is upper case and one that is lower case. Some even went so far as to ban any password that contained an actual English word. The random string of letters qd6?7c.s3d/fishfus34v@@f would be an invalid password because it contains the word fish and us.

However, the faster computers are, the faster they are in guessing every possible combination of characters. There use to be a program called crack that did just that too. A System Administrator would run it on their password file, and see which users had poor passwords. As computers got faster, dictionaries got larger and larger. Now, we are at the point where even completely random passwords are guessable.

What is required is to make sure computers can’t guess all the passwords. That’s why a delay.

I disagree with Jeff Atwood’s method though. First problem: Users would grow frustrated each time they enter their wrong password, and had to wait 8 to 16 seconds for another attempt. They may simply switch to another service. It’s a overkill. A simple one second between each login request and the server’s response would be more than enough to prevent any dictionary attack.

Of course, having the delay just between incorrect login and password combinations is not really a good idea. A hacker would quickly detect the delay, know their login and password combination is incorrect, and then simply start a new HTTP session and try again.

The CORRECT way to do this is always have a one second delay between the initial login request and the response even if the password is correct. That way, a hacker doesn’t know whether the combination worked until they wait for the full delay. One second is short enough for users to barely notice and long enough to prevent a dictionary attack.

Of course, a Hacker could simply spawn a few billion requests at once, but that would probably overwhelm the server as it tries to process them all. So, for now, you’re pretty safe.

However, as machines get faster, bandwidth increases, and servers can handle bigger and bigger loads, this type of attack too must be taken into account. Security is an arms race between those who must protect their systems and those who want to break into those systems. What was good enough security last year is this year’s security hole.

Did anything happen to the hacker? It’s still illegal to do this as far as I’m aware.

I would go with the method of maybe for the first 2-3 times increase the login time but only to a max of say 4 seconds, maybe less.

Then any attempt after that use a refreshing captcha.

I will have user login on a new site of mine and will probably do this.

I was going to go with OpenID but I don’t think it would have any benefit considering my audience.

I think another point that doesn’t appear to have been made is that the hacker in question evidently knew the account name of an admin at twitter.

According to the article, the hacker didn’t know it was an admin account until he was in.

He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. I thought she was just a really popular member, he said.

That’s when he realized that Crystal was a Twitter staffer, and he now had the ability to access any other Twitter account by simply resetting an account holder’s password through the administrative panel.

VMS had a great login security feature.
After 3 bad login attempts it still gave you the login box and let you make as attempts as you liked - except it ignored them.
While keeping you on the line long enough to be traced (VMS was used by people that could do that!)

Rather like Joel’s - deleting threads but letting only the poster still see them.

Just curious (you never know, I may have to implement security for a web site some day and I don’t want to be one of the dumb ones!), but from a technical perspective, where would you implement the delay? Presumably you can’t put it in the client code because the hacker would just bypass it, but it you put it in the server code, don’t you just risk having your entire site DOS’d by tying up all of your server threads in sleep calls?

Is there some clever way of putting in a delay which doesn’t tie up your server resources?

The delay is totally useless window dressing. it is unlikely that an attacker is going to focus energy on a single account. Typical attacks would likely distrubed and looking at trying to attack lots of accounts and passwords looking for any way to achieve access. If I know there is a delay I am likely to try an account every nth time. if my attack is broad enough i might try only every other hour and not even be noticed or impacted with a delay.

Its like someone walking through a neighborhood trying car doors to see if they are left unlocked.

Hey how about Facebook Connect? Everyone put their personal data on Facebook more accurately than any other thing such as OpenID.

Why don’t we all use Facebook for credentials?

Twitter should be running a dictionary attack on all admin accounts to ensure high quality passwords are being used by trusted accounts. This sort of process is easy for them to run and more extensive checks can be done whenever the password is changed.

I use Joel’s method of Password Gorilla and DropBox (http://www.joelonsoftware.com/items/2008/09/11b.html). The only issue I have now is finding a client for my G1. Although I can export the PW list as text onto DropBox. Yeah, I know it’s not optimal

Would it not also be useful to implement a check against the top insecure passwords when the user creates their account or changes their password?

Along with your usual rules of must be at least X chars long etc, compare the hash of the password to the hash of the most common passwords, and prevent the user from re-using such a common value.

Obviously it wouldn’t be practical to have a massive dictionary list to compare against, but a reasonable list of the most common password would still be useful.

An inverse-dictionary check, so to speak.