Password Security

admin — Fri, 26 Feb 2010 12:31:43 +0000

There is an interesting investigation into an issue with a GoDaddy hosted website. The investigation touches on a number of different things but one of them is that GoDaddy stores passwords without hashing them.

I did my undergraduate computer science degree in the early 1970s and even then we were taught that passwords should always be hashed (we called them one-way-ciphers back then). Instead of comparing the actual password to whatever was typed, the typed password was hashed and compared to the stored hashed password. In this way, even if the password file was compromised, it was impossible to recover the passwords.

As computers got faster, two changes got made most publicly in the Unix operating system. Firstly, the encryption algorithm needed to become computationally expensive, unlike most encryption where efficiency is one of the goals. Secondly, a salt was stored along with the password. These two changes made it intractable, at least for a time, to pre-compute hashed values for an entire dictionary or for all possible passwords.

NIST Certified USB Drives Cracked

admin — Fri, 26 Feb 2010 12:18:06 +0000

Three NIST certified USB drives (those from Kingston, Sandisk and Verbatim) have been cracked. It turns out that the protocol for communicating between the password checking software on the host, and the encryption engine on the drive itself was very naively implemented. A fixed string was sent from the host to the drive to indicate that the password had been entered correctly and so to unlock the drive. Of course, any other mechanism for sending the appropriate string to the device would work just as well and so unlock the drive without the necessity for knowing the password.

The best solution to this is to perform all the authentication on the drive itself, as Biogy does on its personal data vault. But even if authentication is done on the host, there is a requirement for a protocol to unlock the drive that is not vulnerable to a simple replay.