With the huge LivingSocial hack that we read about the other day it’s clear that there are common themes that we’ve seen many times lately. In this case the news is a little better than previous but let’s review what we know:
- 50 million accounts have been compromised with email address and salted passwords
- Living Social as a precautionary measure is asking all users to reset their passwords
- No news on how the hack was perpetrated
So there is a little bit of good news here. “What might that be?” you’re probably asking. Well the security folks at LivingSocial did salt their passwords which makes any attack against the hashed passwords much harder. When you salt a hashed password, that means when you try and log in to the site, what’s happening on the back end is the salt, a few bytes of random data, is combined with your password. Then it is hashed and stored in the database, “HASHING ALGORITHM” is run on (SALT + Password) which creates a “HASH.”
Why is this good? Well let’s say the passwords were hashed and then not salted. When this happens someone can get a dictionary or a list of commonly used passwords then you figure out what hashing algorithm that the site was using (typically SHA2 or if the site is very old MD5) and then you just calculate hashes against the big hash list and compare your hashed dictionary to the stolen accounts. If the site has hashed passwords however you need to create this big dictionary hash list separately for every single user. That takes a really long time! Hashing protects all 50 million passwords from getting cracked. What is does not protect against is a single account being cracked.
Ok so now should you change your password? Yeah probably. So what can websites do?
- Use two-factor authentication (2FA)
If LivingSocial has used 2FA then it wouldn’t matter if user passwords were stolen, the accounts wouldn’t have been able to be compromised unless the attacker had the password (something the user knows) and had the 2FA device (a mobile phone in the case of TeleSign, which is something the user has). To get into an account you want there to be two components, one you know and one you have.
- Salting is good, double salting is better. If they had double salted their passwords and stored the second salt somewhere other than the database it would be impossible to crack them.
- Don’t use MD5 or SHA2 as a hashing algorithm use bcrypt. Basically SHA2 is super-fast, relatively speaking bcrypt is slow and makes hash breaking impossible on a large scale.
Read about it here: https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
I hope LivingSocial follows up their announcement with a detailed post mortem. The way the community gets better about security is by understanding what mistakes were made, embarrassing as they may be. There are some things they could do better to protect their users, but they’ve taken the first important step in telling people something happened, let’s hope they follow up with changes so that this can’t happen again.