Back to Blog
Not least of which is the fact that the password (in our previous example) is transmitted from Molly’s computer to Barkbook each and every time she logs in. There are lots of problems with the typical password checking scheme. It will take Mr. Talk more time to configure the software than it will take it to try tens of millions guesses. This is called an “offline attack” and there is software designed to automate the guessing and testing, and Mr. Talk knows how to use it. Mr. Talk can make as many guesses as he wants as fast as his own machine can compute hashes of guesses. Thus any limit that Barkbook has set on failed login attempts won’t get in the way. That is, it only only hard to guess the pre-image from the hash if the pre-image is hard to guess in the first place.īecause Mr. Talk has the hash, he doesn’t need to test these by trying to log in through the Barkbook login page. There is no contradiction because the definition of pre-image resistance is explicitly limited by the entropy of the pre-image. (The pre-image of the hash in these cases is the password that was hashed.) And yet, we are saying that having the hash of a password can be very useful in learning the password. That is the hash itself gives you no useful information about the pre-image of the hash. Aren't hashes irreversible? (Technical aside)Ī secure hash function is supposed to be irreversible. It takes no time at all for Mr. Talk to compute the hashes of all of those likely passwords until he gets a match. Using this knowledge he can narrow the list of likely passwords to just a few thousand, or tens of thousands. Mr. Talk may also know that Barkbook requires an uppercase letter and a symbol in their passwords. Mr. Talk might very well suspect that Molly’s passwords are based on either the words “rabbit” or “squirrel.” He can use it to test guesses at Molly’s password. So it would seem that this would not help Mr. Talk with his nefarious schemes.īut Mr. Talk can make use of the hash. It’s impossible to compute Squirrel! from 7Fb/z9cqyMwjysyTodjbec/ and the salt. Now suppose that Mr. Talk (the neighbor’s cat, who is always up to no good as far as Molly is concerned) has breached Barkbook obtaining the database of password hashes. If the hash matches what is stored Barkbook will let the user in as Molly. The hash is the Fb/z9cqyMwjysyTodjbec/ part.Įvery time someone tries to log in as Molly, Barkbook would use the same hashing scheme with the stored salt to hash the received password. …which includes an indicator of the hashing scheme, the salt, and the hash. Barkbook would store something like… $1$NP8pjY13$Fb/z9cqyMwjysyTodjbec/ To keep the examples short, I am going to to pretend that Barkbook uses a very outdated password hashing scheme. When Molly first signs up, Barkbook will receive the password and store a hash of it. Molly, as some regular readers may recall, is obsessed with squirrels and really bad at picking passwords. Suppose Molly (one of my dogs) signs up for the service Barkbook using the password Squirrel!. Lots of things happen when a service gets breached, but let’s review what it means for the password someone may use for that service. If you already know a bit about password cracking and hashing, just skip this section. Let’s review what happens when some service gets breached. The fact that we do so should give some idea of just how important the Secret Key is for security. Burdening users with an additional task that is hard to understand is really not our style. Not only is it difficult to understand, it places an additional burden on users. However, its uniqueness makes it difficult to understand. It offers our users exceedingly strong protection if our servers were to be breached. The Secret Key is central to what makes 1Password’s security uniquely strong. Instead of thinking in terms of “is it like a second factor” or “is it like a key file” it’s best to explain it in terms of what it actually does: It protects you if we were to be breached. A unique feature of 1Password’s security is the Secret Key, but its value is often misunderstood by users and security experts alike.
0 Comments
Read More
Leave a Reply. |