The use of easily-computed hash values as password authenticators provides piss-poor safety. The prevalence of memorable/weak passwords and their reuse simply compounds the foolishness. Here’s a vivid demonstration why.
Lights! Cameras!! Rolling … Action !!!
Scene 1: The Setup
Late at night in a Pinsk technical high-school computer lab, our intrepid 5p00k5 carry out the following nefarious scheme:
- Collect a very large list of SHA1 hash values for known passwords. There are dictionaries of these. For fun, create more from lists of known bad-choice passwords and any other fun ones that the 5p00k5 toss in while gleefully building the collection.
- For seasoning, the team replaces the first 20-bits of some of the hash values with ‘0’ to indicate that this is a cracked hash. (These are all cracked of course, this just seasons the exploit.)
- As a final bonus, some hashes that have been obtained in various ways but not yet cracked are included to add to the challenge and the verisimilitude.
- Sort (or simply index) the list on the final 100-bits of the 120-bit values and eliminate duplicates.
Scene 2: The “Leak”
- Place the compiled list of several million hash values somewhere that will invite crowd-sourcing of the discovery of the passwords for each of these.
- Each one has a password; the 5p00k5, already know most of them.
- The ones with the first 20 of the 120 bits set to zero will have 2^20 different hashes that collide with them, some of which may actually be hashes of real passwords. At least one is assured because the 5p00k5 already know that one.
- Periodically, report more as having been cracked and set the first 20 bits of those to zero.
Scene 3: The “Confirmation”
- The 5p00k5 can now sit back and watch the confirmation of their exploit.
- Everywhere around the world, operators of services and sites that use unsalted SHA1 digests as password authenticators will notice matches with digests (“cracked” or not) in their databases. They will have to assume their system has been hacked. (It is inevitable that there will be such hits, considering the number of bad and already-known, and easily-cracked passwords that are being used everywhere.)
- In addition, individual users will determine, via services that are available for this purpose, that a password of theirs will match one of the ones (“cracked”-form or not) in the leaked list.
- Compounding the insult, hackers everywhere fire up their hot-shot graphics processors and crowd-source the brute force discover of passwords that correspond to the posted hash values. These passwords are posted in a growing blizzard of shame.
- Thousands of folks start changing their passwords on any service that announces that some of the “leaked” hash values match some of their accounts.
- The dramatic moment yet to be reported is when someone changes their password and immediately discovers that the new SHA1 digest value is already in the “leaked” list. (This is bound to happen. It is noticing that it has happened that may take time.)
To demonstrate that the hashes are from real accounts somewhere, the associated user identification also needs to be published. One trusts that does not happen.
In the absence of that, notice that it doesn’t matter how few SHA1 digests match those for accounts in anyone’s system. It is the matches that receive all of the attention. And matches are guaranteed in a system with millions of accounts. This is what people notice and it is the credulity on which the exploit relies.
So, is it 5p00k5 or is it real? Is it Memorex or is it Ella? Is it margarine or butter?
Whatever the fact of the matter, it is necessary to act as if there really is a hack and the SHA1 digest values are for real accounts that have been hacked. It is folly to do otherwise. The 5p00k5 win.
So long as account identifications are not disclosed, it is not possible to tell the difference between a real hack and the work of 5p00k5.
It is a vivid demonstration that we have been casual for far too long, using theatrical gestures with no security and safety foundation.