Password (in)securityHow to generate and store passwords

in a secure way

by Enrico “cerin0” Zimuel

About me Enrico “cerin0” Zimuel Developer since Texas Instruments TI99/4A Research programmer, Informatics institute of UvA (Amsterdam) Core team of the open source project Zend Framework Co-author of the books “Segreti, Spie Codici Cifrati”, “Come si fa a

usare la firma digitale”, “PHP Best Practices” Founder of the PHP User Group Torino http://www.zimuel.it

1998

Password

A password is a secret word or string of characters that is used for

authentication.

User perspective:

How to choose a “secure” password?

Developer perspective:

How to store a password in a secure way?

Password security

Basically every security systemis based on password.

When security fails...

linkedin.com

Hack: 6th June 2012 More than 6 million passwords

was compromisedSHA1 password

eharmony.com

Hack: 6th June 2012 More than 1.5 million passwords

was compromisedSHA1 password

last.fm

Hack: 7th June 2012? million passwords was

compromisedMD5 password

yahoo.com

Hack: 12th June 2012 443K passwords was compromised

SQL injection, password in plaintext!

How to choose a “robust” user's password

Some best practices:

● No personal information● A long pass phrase is better than a shorter random jumble of characters● At least 10 characters long● Don't use the same password for everything● Change your password from time to time

http://howsecureismypassword.net/

Developers

Force the user to generate robust password

How to store a password in a secure way?

Developers

Old school (deprecated)

Use hash algorithms likeMD5 or SHA1

New school (deprecated?)

Use hash algorithm + salt(a random string).

Using hash + salt

Prevent dictionary attacks? YES Prevent brute force attacks? NO

Brute forcing attacks

CPU power is growing (multi-core)GPU are rendering password security uselessUse a Cloud system (n-CPU)

Brute forcing with a GPU

Source: www.nvidia.com

GPU and CUDA

CUDA™ is a parallel computing platform and programming model invented by NVIDIA

Extreme GPU Bruteforcerusing NVIDIA GTS250 ~ $100

Source: http://www.insidepro.com/eng/egb.shtml

Algorithm Speed 8 chars 9 chars 10 chars

md5($pass) 426 million p/s 6 days 1 year 62 years

md5($pass.$salt) 170 million p/s 14 days 2 ½ years 156 years

sha1($pass) 85 million p/s 29 days 5 years 313 years

sha1($pass.$salt) 80 million p/s 31 days 5 years 332 years

Password of 62 characters (a-z, A-Z, 0-9)

IGHASHGPUATI HD 5970 ~ $700

Source: http://www.golubev.com/hashgpu.htm

Algorithm Speed 8 chars 9 chars 10 chars

md5($pass) 5600 million p/s 10 hours 27 days 4 ½ years

sha1($pass) 2300 million p/s 26 hours 68 days 11 ½ years

Password of 62 characters (a-z, A-Z, 0-9)

Whitepixel4 Dual HD 5970~ $2800

Source: http://blog.zorinaq.com/?e=42

Algorithm Speed 8 chars 9 chars 10 chars

md5($pass) 33 billion p/s 1 ½ hour 4 ½ days 294 days

Password of 62 characters (a-z, A-Z, 0-9)

Secure algorithms forpassword storing

● Hash + salt + stretching (i.e. PBKDF2)● bcrypt● scrypt

Hash + salt + stretching

● Stretching = iterate (hash + salt) n-times

key = ““for 1 to n­times do  key = hash(key + password + salt)

How to estimate thenumber of iterations?

● The number of iterations depends on the CPU speed, should take around 1 sec to be considered secure

● For instance, this PHP code:<?php

$key='';for ($i=0;$i<NUM_ITERATIONS;$i++) {

    $key= hash('sha512',$key.$salt.$password);}

runs in 900 ms with NUM_ITERATIONS= 40'000 using an Intel Core 2 at 2.1Ghz

PBKDF2

● PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0

● PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations

PBKDF2 in PHP

PBKDF2 in PHP (Zend Framework 2.0)

function calc($hash, $password, $salt, $iterations, $length) {$num = ceil($length / Hmac::getOutputSize($hash, 

Hmac::OUTPUT_BINARY));$result = '';for ($block = 1; $block <= $num; $block++) {

$hmac = Hmac::compute($password, $hash, $salt . pack('N', $block), Hmac::OUTPUT_BINARY);

    $mix = $hmac;    for ($i = 1; $i < $iterations; $i++) {    $hmac = Hmac::compute($password, $hash, $hmac, 

  Hmac::OUTPUT_BINARY);    $mix ^= $hmac;    }    $result .= $mix;

}return substr($result, 0, $length);

}

bcrypt

● http://bcrypt.sourceforge.net/

● bcrypt uses Blowfish cipher + iterations to generate secure hash values

● bcrypt is secure against brute force or dictionary attacks because is slow, very slow (that means attacks need huge amount of time to be completed)

bcrypt parameters

● The algorithm needs a salt value and a work factor parameter (cost), which allows you to determine how expensive the bcrypt function will be

● The cost value depends on the CPU speed, check on your system! I suggest to set at least 1 second.

bcrypt in PHP

● bcrypt is implemented in PHP with the crypt() function:

$salt = substr(str_replace('+', '.',                base64_encode($salt)), 0, 22); $hash = crypt($password,'$2a$'.$cost.'$'.$salt);

● For instance, $password= 'thisIsTheSecretPassword' and $salt= 'hsjYeg/bxn()%3jdhsGHq0' aHNqWWVnL2J4bigpJTNqZGhzR0hxMA==$a9c810e9c722af719adabcf50db8a0b4cd0d14e07eddbb43e5f47bde620a3c13

Green= salt, Red= encrypted password

scrypt

● http://www.tarsnap.com/scrypt.html

● scrypt is a sequential memory hard algorithm:● memory-hard functions require high memory● cannot be parallelized efficiently

● scrypt uses PBKDF2, HMAC-SHA256, Salsa 20/8 core

scrypt security

“From a test executed on modern (2009) hardware, if 5 seconds are spent computing a derived key, the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt (to find the same password), and 20000 times greater than a similar attack against Pbkdf2." Colin Percival (the author of scrypt algorithm)

Conclusion

● As user:

Use only “robust” password (e.g. long pass phrase is better than a shorter random jumble of characters)Don't use the same password for different services

● As developer:

Don't use hash or hash+salt to store a password!Use hash+salt+stretching (PBKDF2), bcrypt or scrypt to store your passwords

References

● Colin Percival, Stronger Key Derivation via Sequential Memory-Hard Functions, presented at BSDCan'09, May 2009

● Morris, Robert, Thompson, Ken, Password Security: A Case History, Bell Laboratories, 2011

● Coda Hale, How to safely store a password, 2010http://codahale.com/how-to-safely-store-a-password/

● J. Kelsey, B. Schneier, C. Hall, and D. Wagner, Secure Applications of Low-Entropy Keys, nformation Security Workshop (ISW'97), 1997

● Marc Bevand, Whitepixel breaks 28.6 billion password/sechttp://blog.zorinaq.com/?e=42

● Andrew Zonenberg, Distributed Hash Cracker: A Cross-Platform GPU-Accelerated Password Recovery System, 2009

Thanks!

Contacts: enrico@zimuel.it

@ezimuel