You’ve got to appreciate some of the irony in that title. Lifehacker is part of the Gawker group of websites. Some hackers got into their system and downloaded their database and source code. They also ran some scripts agains the database and were able to find nearly 200,000 people who were using passwords that weren’t very strong.
I had an account on Lifehacker from years ago. Since I didn’t consider it a huge security issue I used a simple five letter, single word password. Since it was easy to break this password, my username, password and email address was part of the roughly 200,000 released in decrypted form on the web.
I panicked just a bit when I saw my password on the list. Fortunately I’ve been using 1Password so I was quickly able to search through all of my logins and identify where I had previously used that password. It turns out it wasn’t used in many other places–mainly on things where I needed a quick account and wanted a password that I’d be likely to guess again.
So I was able to quickly change anything where I might have been at risk. Still it shook me up a bit and made me take a closer look at my password strategy. Ten years ago I used 3 different passwords. I had one for banking and websites where the risk of losing my data was high. I had another for things like email accounts where the risk was moderate and a third for sites like LifeHacker where the damage of someone logging in as me was minimal.
However, the real risk wasn’t that someone would login as me to make comments. The real risk was precisely what happened with LifeHacker–someone got into the website, discover a bunch of users passwords and then use those passwords to get access to their other accounts on the internet.
In the past five years I’ve taken a bit of a different approach to creating passwords. Whenever possible, I try to create a unique random password for each website I need a login for. That way if something happens like what happened with LifeHacker, the hackers will only have access to the site they hacked–something they probably have already in order to get the passwords in the first place.
How passwords are stored
If you want to understand how to create a secure password, it is worth taking some time to understand how passwords are stored on modern web applications.
Had I used a longer password that wasn’t a word in some language, the hackers probably wouldn’t have been able to get my password. LifeHacker stored their passwords as a hash (basically a type of one way encryption). When you login, LifeHacker’s servers took your password, ran it through the hash function and then compared it to what they had previously stored. If the values match, then you can login. If not, then you don’t have the right password. As you can see this meant that LifeHacker didn’t have to keep a copy of each users password on their server. However, you can get dictionaries of common words mapped to their hash value. This is how the hackers were able to get my password–they simply looked for a hash.
Here is an example. First lets create a hash of a common password “qwerty”. We do this using the following command at the OS X command line:
Desktop $ echo "qwerty" | md5
a86850deb2742ec3cb41518e26aa2d89
The hash is that long string of numbers and letters. This is what gets stored instead of your password on the server.
How to break hashes
The hash process isn’t reversible. There isn’t an easy way to take a86850deb2742ec3cb41518e26aa2d89 and “decode” it. However, “qwerty” if a fairly common password. If one were to take a dictionary of common words and run them through the hash process they could create a database of all the hash values for common passwords. “qwerty” is a common password–common enough that someone probably has it listed with its hash value on the internet. So if we do a google search for:
We are going to find a number of results–most are showing that a86850deb2742ec3cb41518e26aa2d89 is the md5 hash for the word “qwerty”. This is how the hackers were able to break my password–even though all they had was the hashed value.
Safe passwords
Hopefully that explains why using a password that can be found in a dictionary is a bad idea. So how do you create passwords that can’t be broken in this way? You need to use a password that the hackers aren’t going to be able to find in a list of common words. Also the longer the password, the safer you are.
So a password like:
gorilla
is bad, but a password like:
dkfje&KPiOudkfje(*(3!
is good. While that last password is secure, there is one little problem. Can you spot it? Right. It is nearly impossible to remember. A simple solution is to use a password that combines a number of words. Here are some good passwords:
- TheGorillaAteSoup.OhMy!
- mydoghas1flea!
- bob.can’t.run.8.miles.
Picking a pattern is another good method. These passwords look random until you try to type them. You basically remember the pattern on your keyboard.
- a’s;dlfkgjh
- %TGBnhy6
- zxcvxcvbcvbnvbnmbnm,nm,.m,./
Use different passwords
Even if you use a secure password, you don’t want to use the same one on every site. Tthere are other ways for hackers to get your password. Some times hackers will install keystroke loggers on public computers in order to capture passwords people are using. If you have a secure password, but use the same one on all of your logins, you might login to check your facebook messages at a library and later find that someone has been assessing your banking. I have logins for over 400 websites. There are some techniques I can use to remember a different password for each site, but it simply doesn’t scale to 400 logins.
Thats where software like 1Password, LastPass, or RoboForm comes in handy.
1Password
I have been using 1Password for several years. 1Password lets you create a random password whenever you need it and it keeps track of your username and login for each website. When you return to a site, 1Password logs back in for you. You have a password on 1Password that gives you access to all of your other passwords.
The passwords generated by 1Password are long and random. You can edit the settings to try to make the passwords easier to pronounce if you are trying to remember them or let it make them completely random and very long.
1Password is very nice, but it works as an application with a handful of plugins for different browsers. This works pretty well, but you really need an ubiquitous tool if you want to be able to keep all of your passwords secure. Otherwise you end up using simpler passwords on things you need to access often and from different locations. Often these are the very things you want most to protect.
What frustrated me with 1Password is that I couldn’t use it on my Blackberry or my Linux computer. As long as I stayed on my mac it was fine, but if I tried to use another machine things got a bit more tricky.
LastPass
This week I’ve started looking at LastPass. While 1Password is an application with some plugins, LastPass seems to be entirely plugin based and they have a great deal of cross platform compatibility. The interface doesn’t seem quit as polished as 1Password, but this is probably because they are making it run on a bunch of different platforms. Also LastPass offers synching between different devices so everything stays up to date. Any decryption is done on your local machine so your passwords are only stored encrypted in the cloud.
One interesting feature of LastPass is their security audit that will show you how secure your passwords are overall. You can even have it show you all logins that share a password so you can easily identify the places where you need to bolster your security. Another feature that looks useful is the ability to share your password with others.
LastPass is free for its basic version which will do all that most people need. You can pay $1 per month for extra features like Blackberry support.
Conclusion
Take the time to think about your password strategy. Mistakes are going to happen and you want to make sure you are in the safest position possible if your password for a site somehow gets discovered like mine did.
I literally wrote a very similar email to all my friends and family this morning with a very similar story and just posted it to my blog. The premise was exactly the same (as my old password was stolen), but wrote more about getting non-techies to understand why 1Password was so important.
Great post – we are on parallel lives :). I think you’ll appreciate the similarities of our posts.
Mark,
Your analysis of how passwords should are checked is fairly accurate.
But the statement ” … this meant that LifeHacker didn’t have to keep a copy of each users password on their server.” is incorrect.
Gawker didn’t store hashed passwords as they should have. Following link suggest that their password DB was stored using DES encryption:
http://www.computerworld.com/s/article/9201139/Gawker_hack_analysis_reveals_weak_passwords
(Search google and one may find more links confirming that)
Encryption by definition is reversible (hash isn’t – as you’ve already pointed out above) – and DES was cracked over a decade ago.
I started using LastPass on the same day – right after “resetting” by LH password :)
Thanks for great post !!
Interesting. I didn’t look at the code. However, the passwords that were cracked all seemed to be things you’d find in a dictionary of hashes which is why I thought that was what happened. Thanks for the clarification.
I found some other information that suggested they were only using the first 8 characters of any password–so even if you had used a very long password, you’d only need the first 8 characters to actually get in.
Additional information about Gawker breach :
http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-passwords.html
I love 1Password for my Mac. When you combine 1Password and Dropbox together to sync passwords across multiple machines then life gets so much easier.
I like 1Password, but I just moved everything over to LastPass to try. I think I’m going to like it even better. Here are a couple things that I’ve found so far:
Password audit – shows you all of your passwords, where they are used more than once and the strength of each one.
Supports more platforms and more browsers–including most mobile devices (with the premium $12 per year option)
Syncs between computers automatically. Plus a web version that decrypts passwords on the fly on your client.
Lets you share specific passwords with your assistant or family members.
I was also subscribed to lifehacker and I had to change my password. the truth is that was not very secure.