Should you let your browser remember?

Most of us probably are familiar with “logging in” to a web site or service. You do it everyday if you are using WordPress.com right now! Online verification is quite an achievement and is of utmost importance to most web services today. Imagine having a credit card account that anyone could just go right to like a Facebook page. Furthermore, imagine if someone could just edit your Facebook page and post anything they felt the desire to…

Well, that changed. Now you are probably faced with so many credentials that it is getting hard to remember. So, what are your options? Perhaps you set your password to… password. 5 days later you start seeing strange things–you’ve been hacked! So then you set your password to something crazy, something so secure that you have to write it down in Notepad or Text Edit and copy and paste it each time. I remember my craziest password (which, thankfully, I no longer use). Imagine entering this-1065130509756977709753987174693607384674991781062–every time you wanted to check your email!

 Imagine entering this-1065130509756977709753987174693607384674991781062–every time you wanted to check your email!

You probably wouldn’t have lost so much time! If you are curious, this is actually an SHA1 hash of the word “password”. Oddly enough, when you hash it again and store it in the database, it is even more cryptic. That leads us to one topic of this login credential scare. You’ve probably heard about how hacking organizations break into these sites and steal millions of account passwords. Of course, most of the time this results in nothing but millions of people frantically scouring to that site seeing if they were a victim.

A lot of security that comes with your password is in two things: the site security, and your passwords complexity. The security of the site usually means one thing, and it is dependent on your password–how your password is stored. See, if you aren’t familiar with out the web works, these clusters of data known as databases store all your data in a table. For example, this site probably employs a database and has a user_account table or something similar. Each row in the table stores the login data for one individual, usually an email, a username, a password, and maybe (hopefully) a salt.

A lot of security that comes with your password is in two things: the site security, and your passwords complexity.

A salt… not NaCl, but rather a long, computer-generated random string/integer/etc. Usually it’s a string encoded similarly to a hash (base64, hex, etc.). See, a while back, some hackers got smart. Hashing algorithms, or the way these hashes are generated from your password, have to be the same dependent on the input. Classically, when you enter your password, it is hashed automatically and compared to the one in the database. Your actual password isn’t (shouldn’t) used at all.

If you haven’t caught on yet, imagine you have this hash. Hmmm, what to do? Well, I want to steal this person’s password, so let’s crack it wide open! I go to a sketchy looking place on the Internet and download a giant rainbow table full of, not rainbows, but rather these hashes and their corresponding input values. Catching on yet…? I feed the original hash into it, and it goes through all these input/output pairs and finds a match. Apparently this hash means “qwerty”. What an awesome password! This is why that extra salt is useful to obfuscate the hash.

Another way to do this is a dictionary based attack, which is sort of like the rainbow but it tries every possible combination. Basically, every possible combination is tried. This is why using a longer, more complex password is better. If I use a password like “pass”, it’s going to be broken in seconds. Heck, the program might even already know this value. Now imagine I used “P@33$%^”. This could still be broken in a pretty decent amount of time, but if someone is using this method, using a really long bit of text is better than fancy symbols in most cases. Take for instance, “thisismypassworditisreallylonganddictionaryattackswouldprobablytakeawhiletodosomethingtobreakintothis”. Now, with GPU acceleration in these dictionary attacks and stuff, I’d throw at least some capitals in there…

If I use a password like “pass”, it’s going to be broken in seconds.

Now, beyond that, wait, where did this title come from? Oh yeah, lets see, XSS–Cross site scripting; stealing session IDs. This is where you as a user are going to be targeted more individually. Stop right now. If you are logged into WordPress.com, navigate to your browser developer tools and find the cookies section. Notice all these tiny bits of data that are storing your session variables. With some clever JavaScript, users can take all this data and use it maliciously.

So, before you let your browser remember what you just entered, think about it. And if your favorite site appears to be very unsecure, be careful, as with an insecure site there isn’t necessarily anything you can do. Using a modern browser can eliminate this by encrypting your password/credentials and storing them somewhere inaccessible by websites/web services. There are also great, free and paid password managers available for more advanced usage.

And if your favorite site appears to be very unsecure, be careful, as with an insecure site there isn’t necessarily anything you can do.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s