The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective. This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012

1. Password (in)security
How to generate and store passwords
in a secure way
by Enrico “cerin0” Zimuel

2. About me
1998
Enrico “cerin0” Zimuel
Developer since Texas Instruments TI99/4A
Research programmer, Informatics institute of UvA (Amsterdam)
Core team of the open source project Zend Framework
Co-author of the books “Segreti, Spie Codici Cifrati”, “Come si fa a
usare la firma digitale”, “PHP Best Practices”
Founder of the PHP User Group Torino
http://www.zimuel.it

3. Password
A password is a secret word or
string of characters that is used for
authentication.

4. User perspective:
How to choose a “secure” password?
Developer perspective:
How to store a password in a secure way?

5. Password security
Basically every security system
is based on password.

6. When security fails...

7. linkedin.com
Hack: 6th June 2012
More than 6 million passwords
was compromised
SHA1 password

8. eharmony.com
Hack: 6th June 2012
More than 1.5 million passwords
was compromised
SHA1 password

9. last.fm
Hack: 7th June 2012
? million passwords was
compromised
MD5 password

10. yahoo.com
Hack: 12th June 2012
443K passwords was compromised
SQL injection, password in plaintext!

11. How to choose a “robust”
user's password

13. Some best practices:
●
No personal information
●
A long pass phrase is better than a shorter
random jumble of characters
●
At least 10 characters long
●
Don't use the same password for everything
●
Change your password from time to time

14. http://howsecureismypassword.net/

15. Developers
Force the user to generate
robust password

16. Developers
How to store a password in a
secure way?

17. Old school (deprecated)
Use hash algorithms like
MD5 or SHA1

18. New school (deprecated?)
Use hash algorithm + salt
(a random string).

19. Using hash + salt
Prevent dictionary attacks? YES
Prevent brute force attacks? NO

20. Brute forcing attacks
CPU power is growing (multi-core)
GPU are rendering password security
useless
Use a Cloud system (n-CPU)

21. Brute forcing with a GPU
Source: www.nvidia.com

22. GPU and CUDA
CUDA™ is a parallel computing
platform and programming model
invented by NVIDIA

23. Extreme GPU Bruteforcer
using NVIDIA GTS250 ~ $100
Algorithm Speed 8 chars 9 chars 10 chars
md5($pass) 426 million p/s 6 days 1 year 62 years
md5($pass.$salt) 170 million p/s 14 days 2 ½ years 156 years
sha1($pass) 85 million p/s 29 days 5 years 313 years
sha1($pass.$salt) 80 million p/s 31 days 5 years 332 years
Password of 62 characters (a-z, A-Z, 0-9)
Source: http://www.insidepro.com/eng/egb.shtml

24. IGHASHGPU
ATI HD 5970 ~ $700
Algorithm Speed 8 chars 9 chars 10 chars
md5($pass) 5600 million p/s 10 hours 27 days 4 ½ years
sha1($pass) 2300 million p/s 26 hours 68 days 11 ½ years
Password of 62 characters (a-z, A-Z, 0-9)
Source: http://www.golubev.com/hashgpu.htm

25. Whitepixel
4 Dual HD 5970
~ $2800
Algorithm Speed 8 chars 9 chars 10 chars
md5($pass) 33 billion p/s 1 ½ hour 4 ½ days 294 days
Password of 62 characters (a-z, A-Z, 0-9)
Source: http://blog.zorinaq.com/?e=42

26. Secure algorithms for
password storing
●Hash + salt + stretching (i.e. PBKDF2)
● bcrypt
● scrypt

27. Hash + salt + stretching
● Stretching = iterate (hash + salt) n-times
key = ““
for 1 to n­times do
key = hash(key + password + salt)

28. How to estimate the
number of iterations?
●The number of iterations depends on the CPU
speed, should take around 1 sec to be considered
secure
● For instance, this PHP code:
<?php
$key='';
for ($i=0;$i<NUM_ITERATIONS;$i++) {
$key= hash('sha512',$key.$salt.$password);
}
runs in 900 ms with NUM_ITERATIONS= 40'000 using
an Intel Core 2 at 2.1Ghz

29. PBKDF2
● PBKDF2 (Password-Based Key Derivation Function 2)
is a key derivation function that is part of RSA
Laboratories' Public-Key Cryptography Standards
(PKCS) series, specifically PKCS #5 v2.0
● PBKDF2 applies a pseudorandom function, such as a
cryptographic hash, cipher, or HMAC to the input password
or passphrase along with a salt value and repeats the
process many times to produce a derived key, which can
then be used as a cryptographic key in subsequent
operations

30. PBKDF2 in PHP
PBKDF2 in PHP (Zend Framework 2.0)
function calc($hash, $password, $salt, $iterations, $length) {
$num = ceil($length / Hmac::getOutputSize($hash,
Hmac::OUTPUT_BINARY));
$result = '';
for ($block = 1; $block <= $num; $block++) {
$hmac = Hmac::compute($password, $hash, $salt . pack('N',
$block), Hmac::OUTPUT_BINARY);
$mix = $hmac;
for ($i = 1; $i < $iterations; $i++) {
$hmac = Hmac::compute($password, $hash, $hmac,
Hmac::OUTPUT_BINARY);
$mix ^= $hmac;
}
$result .= $mix;
}
return substr($result, 0, $length);
}

31. bcrypt
● http://bcrypt.sourceforge.net/
● bcrypt uses Blowfish cipher + iterations to generate
secure hash values
● bcrypt is secure against brute force or dictionary
attacks because is slow, very slow (that means attacks
need huge amount of time to be completed)

32. bcrypt parameters
●The algorithm needs a salt value and a work factor
parameter (cost), which allows you to determine
how expensive the bcrypt function will be
●The cost value depends on the CPU speed, check
on your system! I suggest to set at least 1 second.

33. bcrypt in PHP
●
bcrypt is implemented in PHP with the crypt()
function:
$salt = substr(str_replace('+', '.',
base64_encode($salt)), 0, 22);
$hash = crypt($password,'$2a$'.$cost.'$'.$salt);
●
For instance, $password= 'thisIsTheSecretPassword' and
$salt= 'hsjYeg/bxn()%3jdhsGHq0'
aHNqWWVnL2J4bigpJTNqZGhzR0hxMA==$a9c810e9c722af719adabcf50d
b8a0b4cd0d14e07eddbb43e5f47bde620a3c13
Green= salt, Red= encrypted password

34. scrypt
●
http://www.tarsnap.com/scrypt.html
●
scrypt is a sequential memory hard algorithm:
●
memory-hard functions require high memory
●
cannot be parallelized efficiently
●
scrypt uses PBKDF2, HMAC-SHA256, Salsa 20/8 core

35. scrypt security
“From a test executed on modern (2009) hardware,
if 5 seconds are spent computing a derived key, the
cost of a hardware brute-force attack against scrypt
is roughly 4000 times greater than the cost of a
similar attack against bcrypt (to find the same
password), and 20000 times greater than a similar
attack against Pbkdf2."
Colin Percival
(the author of scrypt algorithm)

36. Conclusion
●
As user:
Use only “robust” password (e.g. long pass phrase is
better than a shorter random jumble of characters)
Don't use the same password for different services
●
As developer:
Don't use hash or hash+salt to store a password!
Use hash+salt+stretching (PBKDF2), bcrypt or scrypt
to store your passwords

37. References
●
Colin Percival, Stronger Key Derivation via Sequential
Memory-Hard Functions, presented at BSDCan'09, May 2009
●
Morris, Robert, Thompson, Ken, Password Security: A Case
History, Bell Laboratories, 2011
●
Coda Hale, How to safely store a password, 2010
http://codahale.com/how-to-safely-store-a-password/
●
J. Kelsey, B. Schneier, C. Hall, and D. Wagner, Secure
Applications of Low-Entropy Keys, nformation Security
Workshop (ISW'97), 1997
●
Marc Bevand, Whitepixel breaks 28.6 billion password/sec
http://blog.zorinaq.com/?e=42
●
Andrew Zonenberg, Distributed Hash Cracker: A Cross-
Platform GPU-Accelerated Password Recovery System, 2009

38. Thanks!
Contacts:
enrico@zimuel.it
@ezimuel