I normally don't respond and just sit back leeching knowledge, however this incident with LinkedIn & eHarmony strikes close to home. Not just because my password was in this list of dumped LinkedIn accounts, but the fact that this incident struck virtually every business professional and corporation across the world. Please bare with me while I ramble a few thoughts... The real problem with authentication falls on "trust". You either have to trust the website is storing the data securely or some other party will verify you are who you really are. Just as in the example of the DMV. If you think about your daily life you have put your entire life on display for the world. You trust the DMV with your drivers license information, address, social security number, heck they are even asking for email now. If your active or prior military you have given that same information, plus DNA and fingerprints. Think about how much information about you and your habits occur from simply using "rewards" cards, or "gas points". You, meaning users, give up your identity everyday and with little regard, but when it comes to a website or tracking you across websites we throw our hands up and scream "stop". Please don't get me wrong, I am a HUGE fan boy of privacy and protection of data, but responsibility ultimately falls back on the user. Those users who do not know any better are still at fault, but it is our job to educate them in better methods of protection. So the question falls back on how can we make things better? The fact that we must trust people outside ourselves is key. We need to explain the importance of things such as KeePass (http://keepass.info/), and pass-phases, rather than words. Below is an example, my password which was leaked during the LinkedIn dump, but till I started using this as an example the likelihood of the hash being cracking it was VERY slim. Use this as an example of how to select a password for websites and how even if the hashes are dumped the likelihood of cracking it is slim. Password: !p3ngu1n_Pow3r! SHA1 Hash: b34e3de2528855f02cf9ed04c217a15c61b35657 LinkedIn Hash: 00000de2528855f02cf9ed04c217a15c61b35657 To crack this pass-phase using the following systems it would take the the associated amount of time: $180,000 cracker it would take roughly 2 decades, 7 years to complete the crack $900 cracker it would take 3 centuries, 3 decades to complete the crack Average graphics card it would take 15 centuries to complete the crack Average desktop computer would take 795 centuries to complete the crack Now what does this mean in the schema of things. You cannot trust any website, third party identity verification, one time password, etc. You can only trust yourself in creating a password that even if dumped will make it nearly impossible to crack. Use some form of nomenclature to identify a website separate from the base pass-phrase, thus giving you individual "passwords" and in turn if one site gets dumped the others remain safe. Practicality is more along the lines of what the solution is. It is not practical to develop an pub/priv solution because of the user themselves, it is however practical to educate everyone we meet, preaching to them how to make simple changes can increase their protection ten fold. A similar question though comes from "Website xyz.com was just dumped, how do I know if my password was in this group?". Just from previous experience, organizations release the warning stating they had a breach, but it normally takes a good bit of time, as seen with LinkedIn, for them to release who was part of this dump. If they ever really do, sometimes it becomes a blanket "We were breached please change your password." story. If a website you have been using is breached then I revert back to the original statement saying that the issue becomes trust. In the early days of LinkedIn websites claiming to check your password against the database dump were popping up left and right. Is it truly wise to jump to these sites and put your password, which potentially will take decades to crack, into a website that claims to check it without storing that password anywhere. I know there are sites which were created by companies and individuals with outstanding reputations, however it was outside my control and thus not trusted. I decided to write a small, very simple, Python script that will run on your local machine and allow you to check your password against the dump of hashes. Right now it only does the LinkedIn dumps, but my goal is to do any dump all you have to do is point it to the file. I also then decided to take a little longer on the next release and learn to code in a GUI for users who may not be a techie. I will continue to work on the GUI release, but if you want to get that release email me and I'll make sure you are aware of its release. Until then I hope this helps those who may not feel comfortable about checking a password against a website and trusting that website doesn't store your password. http://www.armoredpackets.com/hashcheck_a_small_piece_of_mind I also hope that my explanation about how trust is the real issue, and that ultimately you can't trust any site nor any method. That by making simple, yet effective, changes in how you create and use passwords will protect you long enough to safely change the passwords/pass-phrases for all your sites. Back to leeching knowledge :-) Keep up the great conversations! - Robert Miller (arch3angel) On 6/13/12 3:54 PM, Grant Ridder wrote:
Hi Everyone,
I thought that i would share an IEEE article about LinkenIn and eHarmony.
-Grant
On Wed, Jun 13, 2012 at 1:05 PM, Phil Pishioneri <pgp+nanog@psu.edu> wrote:
On 6/8/12 7:22 PM, Luke S. Crawford wrote:
I haven't found any way that is as simple and as portable as using ssh that works in a web browser.
The Enigform Firefox Add-on (plus mod_openpgp on Apache httpd) seems similar:
Enigform is a Firefox Add-On which uses OpenPGP to digitally sign
outgoing HTTP requests and Securely login to remote web sites, as long as the remote web server is Enigform-compliant.
-Phil