Ethics of password cracking/dissemination

It's rare these days for me to write blogs that I have to put a lot of thought into. Most of my writing is technical, which comes pretty naturally, but I haven't written an argument since I minored in philosophy. So, if my old Ethics or Philosophy profs are reading this, I'm sorry!

Introduction

Anybody who follows my blog/work regularly know that I collect, crack, and disseminate password breaches. I have a wiki page devoted to breaches and dictionaries and I occasionally do talks on the subject. And if you follow me on Twitter, you'll see regular updates about password dictionaries.

The issue is, not everybody agrees with what I do (I was hoping to have more links in that sentence, but only two people actually said they thought it was wrong when I asked for comments on Twitter). Fortunately, many more people agreed that I was doing something good. So I take that as a small victory...

Anyway, this post is going to cover some of the pros and cons of what I do, and why I think that I'm doing the right thing, helping the world, etc.

Cons

#1: you're helping the bad guys
The issue I hear most often is that I'm making it easier for the bad guys, whether it's people trying to take over users' accounts or perform bruteforce attacks more efficiently. Now, keeping in mind that every security tool and piece of security research in some way helps both good guys and bad guys, this is why I'm comfortable that my work isn't benefiting bad guys in any significant way:

  • The data I'm getting is *from* bad guys in the first place, which means that they already have it
  • My data contains no personally identifiable information... more on that later
  • The most common passwords are already known, and sites that use passwords like 'qwerty' on their admin account will be compromised anyways (and who would do something like that *coughdarrylcough*). The best thing I can do is raise awareness.

#2: you're actively harming people
This i largely covered by my response to the previous point, but I wanted to reiterate: I do my best to ensure nobody is harmed.

It's a well known fact that people use the same password in multiple places. If you have 100 accounts online that each require a 7+ character password (or 14+ characters if you want actual security), how are you supposed to remember them? Unique passwords for facebook, twitter, gmail, hotmail, gawker, every random forum you visit, and so on and so on. Without a password management tool, you're re-using passwords. This week I decided to bite the bullet and strengthen all my passwords. I have 14 accounts that I would consider "important", and that doesn't include my computers themselves, my PGP key, my SSH key, and so on and so on.

Now, the biggest danger in these password breaches is when somebody uses the same username/email address on a compromised site that they use on a more important site (their bank? Paypal? or, God forbid.... Facebook?) Attackers, armed with usernames and passwords, can wreak havoc on somebody's online life. I found a great story about the singles.org compromise, but unfortunately I can't find it again so this one will have to do. The basic idea is, after 4chan folks compromised singles.org's password database, they started using those passwords to log into Facebook, online banking, etc.

Another, more modern version of that is the suspected link between the Gawker compromise and Açaí berry spam. Though nothing has been proven, and just using that word is probably going to get me some spam, some people suspect a correlation between the attack and the spam. Matt Weir has tried to prove this link, but so far I believe his results have been inconclusive.

Now, what am I doing to protect people? Well, first and foremost, I don't release personally identifiable information. Ever. Most of the breaches I get contain usernames, email addresses, and sometimes more (in 3 or 4 cases, I've received entire dumps of databases!). And I don't release those. When people come to my site, they're getting aggregated password counts, which is pure statistical data, nothing more. (One thing I can't protect is people who use an email address as their password - you aren't fooling anybody!)

By making it easy to get the sanitized list of passwords, it's less likely people will look for, find, download, and distribute the full version - the version that, in my opinion, is far more dangerous.

Another point worth mentioning: I occasionally sit on lists for weeks or months to help minimize the potential damage they'll do to companies and their users. While I won't admit to sitting on any right now, I think it's important to judge whether or not a particular list can cause more harm than good if I release it, and to release it only when the amount of harm it can cause is minimized (that is, when we know the bad guys already have the list, so releasing it to the good guys doesn't matter anymore).

Pros

So, those are the only cons I can think of, though I have somewhat of a biased view. If you feel I missed something important, let me know and I'll do my best to respond!

Now, on to why I think I'm doing a *good* thing!

#1: you're spreading the message on good password hashing
When I do talks, I discuss the benefits of good password hashing. Unsalted md5, we can usually crack 90% plus of all passwords; salted md5, probably closer to 70%. If a site uses bcrypt or something similar as the primary means of storing their passwords (sorry, Gawker, but using bcrypt only helps you if you don't store a weaker type beside it), I'd bet we'd have trouble cracking more than 25% of all passwords.

To all Web developers: algorithms matter!

Let's look at it this way: say a site loses 5.3 million passwords: If those passwords are unsalted (raw-md5, as john the ripper calls it), then we hash our first guess, compare it 5.3 million times, hash our second guess, compare 5.3 million times, etc. That means that for each md5() operation we perform, we can check 5.3 million hashes. If those hashes were salted, we'd hash once, compare to the first hash, hash the same guess with the second salt, compare to the second hash, and so on 5.3 million times. That means that, with salting, one md5() operation gets us one comparison.

But what's that mean?

It means that unsalted passwords, in a list with 5.3 million passwords, will crack 5.3 million times as fast as salted passwords. I can average about 5,000,000 checks/second on my laptop against a single md5 hash, which means I can perform approximately 5,300,000 times that, or 26,500,000,000,000 checks/second against unsalted passwords.

To summarize:
Salted hashes: 5 million checks/second
Unsalted hashes 26.5 trillion checks/second

Taking it one step further, though - some algorithms, like WPA, bcrypt, and so on, are designed to be slow. Take bcrypt, for example - on my laptop, I can perform about 5 million checks/second for salted md5, and 17 checks/second for bcrypt. Compare 17 checks/second to the 26.5 trillion checks/second we saw earlier, against a large list, and the difference is astounding. Against the list of 5.3 million passwords, it would take us 86 hours to check each hash once. In other words, to guess '123456' for 5.3 million passwords, it would take over 3 days. Then guessing 'password' would take another 3 days, and so on. Basically, you could grow old and never crack more than a handful of passwords.

So, part of my goal is just that: teach people to use proper hashing algorithms!

#2: you're demonstrating why passwords are fundamentally flawed
But even with bcrypt, it isn't going to help us any if an attacker can go to the Web interface, type in an admin username (oh, let's say, 'darryl'), and try the top 10 passwords (let's say, 'qwerty') and have full access to the site. As long as passwords exist, people are going to choose stupid passwords and get compromised that way, no matter what kind of hashing, lockouts, etc are used. Additionally, people are going to install malware that logs their passwords, preventing the need from ever guessing them.

That's why passwords need to go away, or be enhanced. Somebody has to find a way to create ubiquitous two-factor authentication. That is, a second factor that can be safely used everywhere, and that's resistant to being stolen. I suspect it's a long way off, but it's something that I'll support when it starts becoming a reality.

#3: you're providing research data/analysis
Everybody loves having hard data for their research. In the past I found it excessively hard to do any kind of research on passwords because getting the various compromises into one place was nearly impossible. But now, thanks to my efforts, you can calculate some pretty cool data on password breaches.

#4: you're making password breaches less valuable
This is an interesting take on the issue that my friend had. Each breach that I mirror makes the breach itself, as well as other breaches, less valuable for a bad guy to have. It comes down to a supply and demand issue - if there's a large supply, it's unnecessary to get more. Therefore, people won't invest as much time, effort, or money into obtaining more breaches simply for their passwords.

#5: you're helping us heat our houses this winter
Every machine that's cracking passwords is also helping heat a house, feel free to thank me for it.

But when global warming comes for us, don't blame me!

Conclusion

Hopefully you have some idea, now, of why I do what I do. In my mind, there's absolutely nothing unethical about distributing breached passwords as aggregate statistics (without personally identifiable information) and it helps the community a great deal.

I'd love to hear comments from anybody who agrees or disagrees! My email is in the sidebar at the top-right, and the comments below allow anonymous posting (assuming you can do simple math :) ), so please let me know how you feel!

11 thoughts on “Ethics of password cracking/dissemination

  1. Reply

    Joe G.

    I'm not a professional security person but I've made a serious hobby out of password management (and I wrote what I think of as among the best series on password management on my site - aimed at helping an average person).

    I think you missed a con: It is my understanding that one of the more popular ways to break into accounts these days is with software which automatically logs in to millions of different accounts per day (to get around limits on logins per hour) by combining popular user names, passwords, and web sites (i.e. try password1 at Jsmith@gmail.com, then 123456 at dj@facebook.com, then qwerty at Mrodriguez@yahoo.com, etc.). As such methods becomes more widely adopted, it would not be surprising if nearly all accounts with short user names and short passwords get compromised.

    But each time a list of passwords is publicized, the database of passwords to try can be supplemented. And if the security was so crummy that all passwords were unveiled, then even people who use really strong passwords (and happen to have a short, simple, user name) can get their accounts cracked.

    Of course, those who follow the practice of having a different password for each account (which I think of as the most important password practice for individual users) at least have the damage limited to one account.

    But let me turn this around and ask the following question:

    I understand how it helps to educate people about the 1000 worst passwords to use, and common ways of constructing passwords that are poor. But:

    1) How does it help anyone to publicize lists of 15 character random jumbles that ARE ACTUAL PASSWORDS? For research purposes it might help to know the percentage of passwords that are actually good passwords. But I don't see how anyone is helped by seeing which specific 15+ character random jumbles were used.

    2) Why can't you inform sites before publicizing your lists - giving them a several week opportunity to inform (or better yet force) users to change their passwords? Wouldn't this still allow you to accomplish all your pros above and at least somewhat mitigate the cons?

    P.S. I'd be curious for your (or anyone elses') take on my password guide. I'm not as negative on passwords as you security researchers are. My problem is that users are given a long and complex list of rules to follow instead of something simple that they should do, such as what I advise:

    "Use a password manager to assign unique, random 15 characters for all accounts, protecting them with a strong master password."

    That won't give you perfect security, but as I outline in my post called "How Attackers Steal Passwords," it stops most common forms of password theft, or at least limits the damage to one account.

    1. Reply

      Ron Bowes Post author

      Hey Joe,

      Great comment! I'm going to take a second stab at responding, because the first (long!) response I wrote got eaten by WordPress. I should know better than to type comments directly into Web fields, but that's neither here nor there.

      Anyway, I agree with your point about using multiple services to try and guess a password. While I haven't seen the exact scenario you've pointed out, and I think it would be difficult to pull off because there may not be a reliable way to join the accounts together, what's more common is to take the top 5 passwords and guess them for every account on a site (assuming you can enumerate accounts somehow). A lot of lockout mechanisms won't detect that, and with good reason - it's a difficult problem to solve since there's no 100% method of tracking users.

      To respond to your first point - publishing the 15-character random passwords for a site is pretty useless as password data, but is good as a trend. It's interesting to see how many people use a particular password generator, especially because a lot of password generator tools really don't understand the mechanics behind the PRNG that they're using, and end up creating predictable passwords. Hint: if you're simply using rand() and don't understand what it's doing, you might want to talk to somebody who understands randomness (we see that all the time, my friend is an expert at cracking 'random' passwords).

      To respond to the second, I may not inform sites directly, but I don't publish lists from sites that haven't been informed. I also co-operate with investigations and law enforcement when necessary, and I don't release lists (or wait to release lists) that, in my opinion, can cause damage. So I do my best to minimize the damage I do, and, being a "clearing house", that helps minimize the damage that others can do as well (assuming they wait for me to release the sanitized list, of course :) ).

      I haven't looked at your generator at all, but I agree with what you said, in theory. Using a 15-character random string, different for each account, protected with *a strong* master password, is ideal.

      The thing is, if your password on a site is unique, and it's stolen, that's basically meaningless. I mean, if your password is stolen, the attacker already has access to your account so it doesn't matter that he has a throwaway password. So using uniquely generated passwords is a definite Good Thing.

      Ron

  2. Reply

    Joe G.

    You say:

    "if your password on a site is unique, and it’s stolen, that’s basically meaningless."

    That will be true in some cases - but some of the lists you publish were only stolen by a single white hat researcher, right? For those cases, it would still be meaningful to the people who have those specific passwords, right?

    But if you're giving organizations time to respond, then I guess it doesn't matter because if they do the right thing, they'll require users to change their passwords, and of course that will include the ones with good passwords.

    I hadn't realize that a bunch of random password generators are so easy to reverse engineer.

    My site only contains advice and education - trying very hard to boil down advise to the minimum needed and most convenient possible but with a reasonably high level of security. I steer people towards using one of the 4 most popular password managers:

    LastPass
    1Password
    RoboForm
    KeePass

    Though I've searched the web for any indication that either of these might be insecure (either with their implementations of AES or the randomness of their generators), I don't have the expertise to test security on these.

    Are you (or anyone reading this) aware of any of these 4 having open security issues, including randomness of their password generators?

    Assuming that these four market share leaders have done security (including randomness) right, then password management can work reasonably well for average people who follow the simple advice I stated above.

    1. Reply

      Ron Bowes Post author

      Hey Joe,

      White hat hackers don't steal passwords, nor would I host lists that were stolen and not published. Lists I publish are always ones that are already publicly available and that the compromised site is aware of. The biggest risk is people using the same 'strong' password for different sites.

      I'm not aware of any issues with those tools, but I'm no expert. I'll point my friend this way and see if he has any comments.

      Ron

  3. Reply

    Joe G.

    Thanks for the clarification. That white hat hackers don't steal (then publish) password lists may be completely obvious to those in the profession, but was something I didn't know - I wonder if public perception matches my own.

    I think there is a gray area between white hat and black hat that confuses the public perception - I'm thinking the guy who hacked into Twitter, embarrassed the company, but didn't really try to severely harm Twitter.

    Given that all published lists of passwords are ones that were already stolen by black hat hackers, I now agree with your statement that:

    “if your password on a site is unique, and it’s stolen, that’s basically meaningless.”

    I appreciate your trying to bring in an expert to comment on the security and randomness of the 4 leading password managers.

    1. Reply

      Ron Bowes Post author

      I really hope people don't think whitehat hacker steal passwords and reveal them, but I can't speak on that.

      Ron

  4. Reply

    DC

    Honestly the best thing that can come out of this is eventually forcing sites to move to more secure encodings. As a cracker myself, I couldn't bother going after a 500k list of SHA's when I can do 500k MD5's in a fraction of the time. Another thing would be forcing stronger passwords, and none of this "Upper, lower, special min length 6" stuff. I mean really enforcing it.

    Ron I would have to argue that if a "whitehat" released a hash list or dump, that would move them into a grey/black area. Assuming of course that they did the hack themself.

  5. Reply

    Geist

    I first learned of Ron and his research during some SANS courses I have taken. Yes Ron, you are now mentioned every day in 504 except for legal day. Ron's research has clearly illuminated the inherent issue with passwords....the creation of them. I have referenced Ron's stats in awareness training webcasts for my company (disguised as "How to keep you and your family safe on Facebook"). I can attest that his research has helped me raise the awareness of the issue to our private user base.

    Unfortunately, the biggest disappointment I have with his work is that it is really only seems to be utilized by the extreme ends of the cracking community and likely wont make it's way to the mainstream. If the general public knew what we, who understand this site, knew, the inevitable reform of authentication would be greatly accelerated. We can NOT go on like this authentication model much longer.

    Personally, I think the end solution is to replace user supplied password with salted biometrics (fingerprint scanner, for instance) instead of user chosen passwords. The price is reasonable and they are becoming more common each day. Sure, this doesn't solve pass the hash and memory scraping issues but it is better than QWERTY. If you enhance that authentication with a another factor; soft tokens, as most have a smartphone these days, you would have a system that would probably send Ron into another area of security to focus his research on. What a great day that would be!

    Thanks for all your great work, Ron, you are appreciated and admired by the whitehats, not to mention the legendary Ed Skoudis!

    1. Reply

      Ron Bowes Post author

      @Geist - Awesome comment, thanks! You scared me in the second paragraph where you said "Unfortunately, my biggest disappointment---" - I thought you were going to say something super negative. :)

  6. Reply

    Peter

    $password = file_get_contents('http://www.random.org/strings/?num=1&len=12&digits=on&upperalpha=on&loweralpha=on&unique=on&format=plain&rnd=new');

  7. Reply

    s

    Why not release a something that certifies that you have they password (perhaps a hashed version of the password, or even a hashed and truncated version) so that anyone whose password you have can confirm that you have it, but you aren't actually releasing it? It seems like you simultaneously successfully point out the failings of the security system and also keep the passwords secure. This does not rely on anything that is questionably ethical.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>