Frequently used passwords: how not to get caught yourself and protect users
Last year was rich in reports of hacking social networks, organizations and large projects, and almost every one had “frequently used passwords”, which, despite their insecurity, nevertheless continue to be used by millions of users.
The use of persistent hash algorithms and the “salting” of passwords at times complicates the task of their brute force, so the next easy goal for attackers are common passwords among the masses, which are easy to select “by dictionary”. This approach is both simpler and more effective, because it doesn’t matter how strong your hashing algorithm is, popular passwords can make up the lion’s share of the entire stolen database, and if you can sort them out in the shortest time, you have every chance to use them before the leak is detected. and users will change passwords.
Is it possible to deal with this? - easy! Do they fight this? - did not met. So it's time to start.
')
On many resources, the password complexity validator is connected to the registration form, but, unfortunately, the calculation itself is controversial and subjective - for some reason, special characters are required, large and small registers, and it is not always taken into account that the password length protects it much more. On the other hand, a long but simple password can be used frequently, which does not make it safe. This is slightly different from the main topic of the article, so the length of the password is under the spoiler.
But nowhere have I seen clues like “hey, friend, this password is not that difficult, it’s just in the 10th place of frequently used passwords, so don’t count on confidentiality”.
With a certain desire and skill, you can find on the Internet a bunch of free passwords for viewing, including for downloading. Of course, for any expert who is familiar with the console and the magic of “ grep ”, it is easy to go through the password file and check your own (another question is that you will probably be lazy just like me).
But users are a little more complicated: they are hardly intimately familiar with the console, they don’t have lists of frequently used passwords, and they probably don’t even suspect that something is wrong with their passwords.
I decided to eliminate this injustice guided by the following principles:
You can view the code or install the bundle at the link:
→ https://github.com/Nidhognit/PassSecurityBundle
There is a demo where you can check the password (UPD: implies a test password check, and the use of real passwords is not recommended) online: https://demo-pass-security-bundle.herokuapp.com/
UPD: IMPORTANT! The demo is not a service / site / full-fledged application, and serves only and exclusively to demonstrate the operation of the code, the link to which is given a little higher. That is, I did not tell the article about the site where you can check the password, but about the decision that you can set for your project and help users check passwords (as I understood from the comments it was not obvious, I decided to clarify).
Note: In order to ensure confidentiality, I do not keep logs (I don’t even connect logging tools), do not keep statistics, do not save sent passwords, and all the code is fully open for review . Heroku.com was chosen as the platform for the demo, in part because it eventually kills the server and redeploys it with the loss of all intermediate states (so sometimes you can see 500 when clicking on the link, but if you refresh the page, in a few seconds everything will be OK). However, I can not guarantee complete confidentiality - for maximum effect, deploy the project locally.
Bundle deals only with one thing - it checks the password in the list, and returns the number under which it was found, or null.
Initially, of course, there was a desire to write a full-fledged password validator, with an assessment of complexity and a verdict, but I stopped at a simple search for a position, because for each project there are different security requirements (although, in my opinion, if the password is found in the list, then from his place, he is not safe, but you may have a different opinion).
Two files with password lists for 100 thousand (used by default) and 1 million are sewn into the bundle. By the way, if you have interesting lists of frequently used passwords, and you do not mind sharing them with the public, I will be grateful.
After I wrote the bundle, I tested all my passwords on it (yes, my hands never reached “grep”). I was surprised to find that one of the home passwords, despite the formidable appearance and length of more than 11 characters, took a completely non-honored place in the list.
Friends and acquaintances who viewed the demo also found some of their passwords as unsafe, and for now the acquaintance is in the lead, whose password was found in 39th place. Who can beat him, tell me :)
The use of persistent hash algorithms and the “salting” of passwords at times complicates the task of their brute force, so the next easy goal for attackers are common passwords among the masses, which are easy to select “by dictionary”. This approach is both simpler and more effective, because it doesn’t matter how strong your hashing algorithm is, popular passwords can make up the lion’s share of the entire stolen database, and if you can sort them out in the shortest time, you have every chance to use them before the leak is detected. and users will change passwords.
Is it possible to deal with this? - easy! Do they fight this? - did not met. So it's time to start.
')
On many resources, the password complexity validator is connected to the registration form, but, unfortunately, the calculation itself is controversial and subjective - for some reason, special characters are required, large and small registers, and it is not always taken into account that the password length protects it much more. On the other hand, a long but simple password can be used frequently, which does not make it safe. This is slightly different from the main topic of the article, so the length of the password is under the spoiler.
Password length, and interesting finds
I will not go into the theory of the password complexity calculations myself, because there is a very good article on Habré about this, and also quite a decent description on Wikipedia .
For an example and a demonstration of the idea that I want to convey, I will take a few passwords, for example:
The complexity of the exhaustive search for these passwords is:
Comparing the first and second passwords, we find that a long password from numbers not only turns out to be more complicated than a short password from letters of different register and numbers, but it is also easier to remember because it is just 18 units. It is important to understand that since edinichki is hashing, and the attacker does not know which characters to use, all variants of characters will be used to select a password. But if, suddenly, after reading the article, everyone starts using such a password, then the real time of its hacking will be milliseconds, since it will become frequently used.
The question remains - why is the long and clearly “impenetrable” password listed in this list? Suddenly! “Morning riser” (yTp3HHuuCTo9k), repeated three times and reaching a length of 39 characters, enters the first million frequently used passwords, and for all its complexity it is banished from the list in a second,everything is like in real life , so if suddenly you use such a password I recommend to change.
For an example and a demonstration of the idea that I want to convey, I will take a few passwords, for example:
- KCEvcefv4v (10 Characters)
- 111111111111111111 (18 characters)
- yTp3HHuuCTo9kyTp3HHuuCTo9kyTp3HHuuCTo9k (39 characters)
The complexity of the exhaustive search for these passwords is:
- 62 ^ 10 = 839E + 15 options
- 10 ^ 18 = 1000E + 15 options
- 62 ^ 39 = ... 8E + 69 options.
Comparing the first and second passwords, we find that a long password from numbers not only turns out to be more complicated than a short password from letters of different register and numbers, but it is also easier to remember because it is just 18 units. It is important to understand that since edinichki is hashing, and the attacker does not know which characters to use, all variants of characters will be used to select a password. But if, suddenly, after reading the article, everyone starts using such a password, then the real time of its hacking will be milliseconds, since it will become frequently used.
The question remains - why is the long and clearly “impenetrable” password listed in this list? Suddenly! “Morning riser” (yTp3HHuuCTo9k), repeated three times and reaching a length of 39 characters, enters the first million frequently used passwords, and for all its complexity it is banished from the list in a second,
But nowhere have I seen clues like “hey, friend, this password is not that difficult, it’s just in the 10th place of frequently used passwords, so don’t count on confidentiality”.
With a certain desire and skill, you can find on the Internet a bunch of free passwords for viewing, including for downloading. Of course, for any expert who is familiar with the console and the magic of “ grep ”, it is easy to go through the password file and check your own (another question is that you will probably be lazy just like me).
But users are a little more complicated: they are hardly intimately familiar with the console, they don’t have lists of frequently used passwords, and they probably don’t even suspect that something is wrong with their passwords.
I decided to eliminate this injustice guided by the following principles:
- The simplest solution.
- Fast decision.
- The possibility of flexible configuration, and work with both files and databases.
- Learn to write third-party symphony bundles
You can view the code or install the bundle at the link:
→ https://github.com/Nidhognit/PassSecurityBundle
There is a demo where you can check the password (UPD: implies a test password check, and the use of real passwords is not recommended) online: https://demo-pass-security-bundle.herokuapp.com/
UPD: IMPORTANT! The demo is not a service / site / full-fledged application, and serves only and exclusively to demonstrate the operation of the code, the link to which is given a little higher. That is, I did not tell the article about the site where you can check the password, but about the decision that you can set for your project and help users check passwords (as I understood from the comments it was not obvious, I decided to clarify).
Note: In order to ensure confidentiality, I do not keep logs (I don’t even connect logging tools), do not keep statistics, do not save sent passwords, and all the code is fully open for review . Heroku.com was chosen as the platform for the demo, in part because it eventually kills the server and redeploys it with the loss of all intermediate states (so sometimes you can see 500 when clicking on the link, but if you refresh the page, in a few seconds everything will be OK). However, I can not guarantee complete confidentiality - for maximum effect, deploy the project locally.
Bundle deals only with one thing - it checks the password in the list, and returns the number under which it was found, or null.
Initially, of course, there was a desire to write a full-fledged password validator, with an assessment of complexity and a verdict, but I stopped at a simple search for a position, because for each project there are different security requirements (although, in my opinion, if the password is found in the list, then from his place, he is not safe, but you may have a different opinion).
Two files with password lists for 100 thousand (used by default) and 1 million are sewn into the bundle. By the way, if you have interesting lists of frequently used passwords, and you do not mind sharing them with the public, I will be grateful.
A little bit about the experience of using
After I wrote the bundle, I tested all my passwords on it (yes, my hands never reached “grep”). I was surprised to find that one of the home passwords, despite the formidable appearance and length of more than 11 characters, took a completely non-honored place in the list.
Friends and acquaintances who viewed the demo also found some of their passwords as unsafe, and for now the acquaintance is in the lead, whose password was found in 39th place. Who can beat him, tell me :)
Source: https://habr.com/ru/post/323992/
All Articles