This is an add-on to my previous post about the LivingSocial hack. As i explained in that post, user’s Names, e-mail addresses, birth dates and encrypted passwords were stolen. I also explained how this data can be used to generate some very convincing spear-phishing emails. Something i want to further focus on in this post is the encrypted passwords that were taken.
Why worry? The passwords that were stolen were encrypted and salted by LivingSocial.
Encryption can be broken. In the case of LivingSocial they used SHA1 to encrypt the passwords, this is a poor choice for secure password storage. SHA1 is designed to to be an algorithm that encrypts quickly and uses a minimal amount of resources. While this is great for their servers (no huge amounts of processing power needed to handle the en/decryption of user passwords) it is bad news in case of a theft like the one that occurred yesterday. LivingSocial also salted the passwords. Adding ‘salt’ to a password means random data is added to the user password and mixed into the final encryption, it is meant to elongate the password and add complexity. Adding salt is good, it makes guessing the passwords harder and rather than bulk-guessing an entire list of passwords, a cracking program must now focus on each individual hash to try and guess the encrypted password. Sounds like that salt will make it very hard to crack 50 million passwords right? Wrong. As mentioned before an average computer with an average graphics card can perform billions of guesses per second. Now take a not-so-average-computer with two, three or more state of the art graphics cards, you can imagine the amount of power that can be aimed towards a password list. Hackers usually have access to a rig like this in one way or another. Poorly chosen encryption such as SHA1 and a specified salt (LivingSocial was kind enough to tell the world exactly how the passwords are encrypted and which salt was used) are no match for specialized hardware built specifically for cracking passwords.
As mentioned in the previous article, weak passwords were already decrypted before the end of the day yesterday.
Ok, so now i’m worried.
Good. With their poor choice of encryption they made it easier for the password crackers that are working on the encrypted list as we speak. This greatly reduced the time you, the LivingSocial user, has to change your password before your account is compromised. Sadly, a lot of people still use the same password on multiple websites so if your LivingSocial password is one of your multi-purpose-passwords this hack may have compromised other websites you use as well.
Let’s use poor Bob Williams as an example. He has a LivingSocial account. The information that was stolen revealed his full name, birth date, e-mail address and encrypted password. Bob is somewhat of an idiot, he used his LivingSocial password for his online banking, his Gmail and a few other websites. Additionally he chose a rather weak password “Bob1964@” which was decrypted a few hours after the hack.
Armed with his name etc etc and decrypted password the hackers now had enough information to attempt logging in on several websites. His e-mail and password combination successfully got the hackers signed in to:
– Bob’s Gmail
– Bob’s Facebook
– Bob’s AOL
– Bob’s Apple ID
and gave them enough information to attempt password reset procedures on:
– Bob’s WordPress blog
– Bob’s Nest.com
You can imagine the possibilities with such limited, but very specific, amount of data.
Even with stronger passwords they will most likely still get cracked, you may have just bought yourself a few days of time to change your password LivingSocial and other websites you make have used your password on. When LinkedIn was hacked last year it resulted in an encrypted password list of almost 6 million hashes. More than 90% of this list was cracked in just six days.
I changed my password(s) but i’m still worried.
– Make sure your passwords meet certain standards.
– Never use the same password for different services, websites, computers, etc.
– Change your passwords often.
– Use two-factor authentication if it is available, if it is not, use whatever other security features áre available.
– Be careful of the services you choose to use. In the future, when you sign up for an online service, see if they offer two-factor authentication or https, see if their security protocols meet your needs. If not, move on to another service that does.