Salt

I have been reading an article about a company named LastPass, the company was hacked Tuesday the 3 of May 2011. LastPass provides tools that store and manage passwords. The company notes that they have anomalies traffic, and a flowed from one of its non-critical machines. I had asked my this question, can i trust a company that provide a serves to save my passwords? Or is it better for my to remember all my password in my head?

A suspicion of a hacker attack rouse when a unexplained traffic was remarked on the network, all needed resources was set to finding out what have happened, finding out if someone was trying to get into their database, contain information about their customers email, master password, etc. It was not able to track down the root cause in these instances, but remarked that amount of data was transferred from there server. The amount data transfer from the server was enough to get persons personal information. The company’s spokesman said.

“We’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed,” the company said in a security advisory on Wednesday. “We know roughly the amount of data transferred and that it’s big enough to have transferred people’s email addresses, the server salt and their salted password hashes from the da,tabase.”

This tales me that, this company is concerned about there costumers privacy, also that the company’s  security surveillance is active. It’s a theory that the hackers applied a brute force attack to salted password hashes using a dictionary attack to reveal master passwords. Because of episode the company has forced all users to change the master password on their account, in some cases to validate their email addresses.

Netcraft that is providing internet security services there spokesman said.

“If a hacker can recover a single password, then all [the user’s] passwords will be compromised, including webmail and Paypal,” said Paul Mutton, a security analyst at Netcraft. “People would be wise to change their passwords.”

After I read this article did I asked myself, what is when hackers use salted password? I didt come by a website that describe what salt I how it works, there is many related topic on this webpage.

From http://www.nmrc.org/pub/faq/hackfaq/hackfaq-04.html

To increase the overhead in cracking passwords, some algorithms employ salts to add further complexity and difficulty to the cracking of passwords. These salts are typically 2 to 8 bytes in length, and algorithmically introduced to further obfuscate the one-way hash. The specifics for salts for both Unix and Netware systems are covered in their individual password sections.

Historically, the way cracking has been done is to take a potential password, encrypt it and produce the hash, and then compare the result to each account in the password file. By adding a salt, you force the cracker to have to read the salt in and encrypt the potential password with each salt present in the password file. This increases the amount of time to break all of the passwords, although it is certainly no guarantee that the passwords can’t be cracked. Because of this most modern password crackers when dealing with salts do give the option of checking a specific account.

By Alexander Ólafsson

Links:

http://www.zdnet.co.uk/news/security-threats/2011/05/05/lastpass-hack-risk-forces-users-to-change-passwords-40092684/

http://www.nmrc.org/pub/faq/hackfaq/hackfaq-04.html

Advertisements
This entry was posted in IT Security, Week 19. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s