The Dirty Truth About Web Passwords

This weekend, the Gawker network was compromised.

It's no Black Sunday or iPod modem firmware hack, but it has release notes -- and the story it tells is as epic as Beowulf:

This is a companion discussion topic for the original blog entry at:

There’s really little excuse for J. Random Websites not to use Open ID. I’m not going to use it for credit card-linked account but for the likes of Gawker and forums about crocheting, it makes a lot of sense.

Classic, just classic. Next they’ll realize that biting your nails makes you sick quite frequently, but gets you more sympathy and attention from your friends.

Once they fix that, someone will explain the dangers of rubbing your eyes.

The thing about salt though, it should come from a shaker. A full out compromise of a machine (through unrelated means) will usually reveal the special sauce. If your killer web app is not using some kind of directory authentication, where the directory is locked down quite a bit more… you’ll fail eventually.

This means yes, someone who cracks an OpenID provider can and will take full advantage of doing so.

jeff, blog more stack overflow less. thanks.

Great article, all of which I agree with. I’m more than happy to use Twitter to trivial logins, and I’ll stick to a unique password for each of my bank accounts. It is safer and it is more convenient.

With regard to point 1, and this may not be correct, I believe that both the full database and the source code were compromised. If this is the case, then salts are of little use. I do advocate the use of both a database-stored salt and an application (source code) salt, however, so that if the database is compromised, password hashes (with their salts) are still secure.

In the case of Gawker too many mistakes were made.

Obviously, your work here about explaining the password anti-pattern is brilliant. But I’m not sure I will concede your editorializing about the content Gawker publishes; They certainly publish things that others won’t, but I think that’s the best thing about them. And I wouldn’t slight the good work that Lifehacker (and Consumerist, when that was a Gawker title) do to help people by simply describing the effort overall as “often unethical” is actually pretty inaccurate.

(Disclaimer: I do know, and often like, Nick Denton. But then again I do know, and often like, you as well. :))

What’s wrong with OpenID?

The short answer is that OpenID is the worst possible “solution” I have ever seen in my entire life to a problem that most people don’t really have. That’s what’s “wrong” with it.

(Don’t be picky on me for using my OpenID to post this. There are at least 20 comments I did not post because of having to use OpenID.)

I’m probably screwed, but my method has been to have two tiers of passwords:

Slashdot, diyaudio, and all the other news type sites I frequent get one strong but common password. The sites that matter, like my bank, gmail etc get unique and stronger passwords.

My rationale is that if my reused password gets compromised, I don’t really care much. What damage is done? People could post using my name, but chances are they they could spoof that anyway. It’s the bank password and such that really can cause pain and that is stronger and unique.

The real issue here is one of security vs. convenience. I’m willing to risk somebody posting as me to slashdot and the other dozen sites I visit vs. trying to remember unique passwords for each. If the web gets to the point that I need unique strong passwords for each site I visit, I’ll punch out of this whole web experience.


Can we please drop the “driver license” metaphor? “Passport” is much more accurate. A license gives one permission to perform an action whereas a passport establishes identity. I can hold a barber’s license, but it wouldn’t tell you anything at all about if I am actually that person. And why do barbers need licenses anyway?

BCrypt for my passwords please! It is so incredibly easy to implement and is nearly impervious to the effects of Moore’s law.

Accidents will happen and in our pursuit for secure systems, while increasing and creating ever more secure systems, we can also minimize the risks.

One strategy we like is having a cascade of passwords. Never a single password - perhaps OK in a single network or environment, but never in a hostile public environment. For example:

Level 1 password: only for physically accessible systems
Level 2 password: for highly trusted networks like Google, Yahoo
Level 3 password: for semi-trusted systems
Level 4 password: for low trusted system (you trust their services but not sure if their systems are 100% secure)
Level 5 password: no trust or perhaps you will use them only once

As individuals we all need to create our own system for passwords which we like magicians, we should never share with the world.

I’m pretty sure this isn’t right. They did store just salted hashes. The algorithm was DES, but inside crypt(3), which produces salted hashes. The reason the passwords were recoverable, though, was that dictionary attacks were very easy because crypt(3) only uses 2 characters of salt for the 8 character passwords.

If I comment on this post, will you steal my password? :open_mouth:


The salt is there to (attempt to) prevent precomputed hashes from giving the attackers the plaintext passwords in a matter of minutes. In fact, the algorithm they used uses a different salt for each user and prepends the salt to the hash itself. Anyone getting just the hashes would have the salt anyway, even if they didn’t have the rest of the code on the site.

What truly shocked me in this story were the weak password, not of the users, but of the workers. I mean, “arthur”? Really?

Personally, I use a system suggested by a fellow Slashdotter: I take a fixed password, append the website’s domain, hash it and cut it to 20 chars (plenty of websites have a small upper limit on password length - incredible but true).
For example, a possible password (not a real one, the domain is fake) is 9131d179c92b286a5474.

Of course, this is for random websites which I don’t really care if someone takes over my account - never for something so important as access to a major website’s admin account!

As for OpenID, I think it’s fine as long as I control the URL that identifies me. Right now, if someone hacks and takes control of, I can simply unplug the server, as it’s a laptop running in my bedroom.

Similarly, if someone hacks, I can simply change my provider in my website.

But using someone else’s domain as my ID is a no-go to me, and for most people that’s what they’ll do.

Jeff, I would love to hear your opinion on this: :stuck_out_tongue:

Gawker did NOT store passwords. You are flat-out wrong there, Jeff. They stored the standard DES hashes of passwords as computed by crypt($password, “xy”), where “xy” is a random two-character salt (

Using some kind of brute force (perhaps a dictionary attack, perhaps rainbow tables, perhaps something else), the hacker managed to crack about 200,000 of the 1.3 million passwords in the database. The other 1.1 million are still crackable, but only the hashes, not the plaintext passwords, are in the database that the crackers released.

As a long time Giz commenter, I didn’t have the choice to use Facebook or Twitter to comment back when I started reading Giz. You can’t blame anyone for being limited by the technology of their times.

Fortunetly, everyone is moving toward a “web driver’s license”.

Unfortuently, this isn’t a decentralized system like OpenID, but rather Facebook Connect.

It’s such a shame we ended up putting our web experiences into a company that a lot of people (myself included) avoid like the plague.

Two comments:

  1. I use LastPass.
    It is free and it integrates very well into Firefox, IE, Chrome and Safari. Since LastPass remembers my passwords for me “in the cloud” (as people call it today), I have my passwords in every browser and wherever I go, as long as I have Internet access there. Since I only store my Internet passwords there, I won’t need access to them if I have no access to Internet. And since I don’t have to ever remember any of those passwords again, all my passwords for all my accounts are different and they are all combination of random letters (upper and lower case), numbers and punctuation characters, always as long as the service allows (up to 32 characters). Guessing them? Impossible. Brute Force? If you have the time :wink: If one gets compromised? No problem, has no effect on any other account and I can just pick a new random one for the compromised account. What if LastPass itself is compromised? No problem, passwords never leave the computer unencrypted, so not even LastPass could recover them; the data from LastPass is completely useless, unless the attacker knows the Master Password and my Master Password is very long and immune to dictionary attacks. Further I change it whenever I feel like it.

  2. Regarding your Internet driver’s license, you will probably love the new German identity card. It is a normal identity card, works like a passport within the European Union, with picture and standard ID information (name, address, date of birth, etc.). However, it also has a chip inside and by plugging a USB device to your computer, you can use it to authenticate online. You can either authenticate as yourself (with your realname and address), or you can use the pseudonym function to authenticate as the person owning the ID card, but without transmitting any personal information (other than that you own the ID card and the PIN to use it). To use the password, a 6 digit PIN is needed, that is of course secret and the card is locked after 3 incorrect attempts - too little to guess a 6 digit number. The pseudonym function is pretty cool: The Site sends a site identifier, the ID card takes this identifier, mixes it up with a unique number stored inside the chip, hashes the result and returns it back to the side, but only if the correct PIN is entered. To avoid man in the middle attack, a site must authenticate towards the ID card and the card towards the site in such a way, that a man in the middle will fail, even if he can see and modify all traffic in between those two (similar to SSL certificate authentication or how VPN tunnels are established based on certificates). Another very useful online function of the ID card: Age verification. It can just verify that you are above a certain age, without revealing you real age or any other personal information to the site owner. The card owner is always shown which information will be revealed to a site owner and its up to him to allow that, by entering the PIN.