Kickstarter hacked - change your passwords

Thanks, Steve. I heard the news, but not the advice to change the password. Boy have I learned a lesson about using the same password for multiple things. Gees.
 

sfoster

Staff Member
Moderator
Thanks, Steve. I heard the news, but not the advice to change the password. Boy have I learned a lesson about using the same password for multiple things. Gees.

It's not as big of a deal to use it for multiple things.
What gets stolen is a hash value of your password, not the password itself.

This allows people to find a 'collision' where something that isn't your password still produces the same hash. And then can use this other key to pretend to be you and access your account.

But even if it's the same password on a different site, their hash would be a different and so whatever other key the hackers had discovered wouldn't work on your other site.

They say to change your passwords on other sites, etc just to cover their asses.

Personally though I have 3 different passwords I use. One for total bullshit. One for my general stuff. And then one for top security.. my bank for example has a different password than my gmail account
 

sfoster

Staff Member
Moderator
My password is a random array of letters and numbers. Is there any way they can figure it out from the hacked encryption? I'd rather not have to change ALL my passwords

They can never figure out your password from this sort of stuff. It's a little technical, but it's something call a hash algorithm that your password turns into

So if you enter in 12ADSF(* as a password, lets say that hashes to the number 9876543 and that number is stored in the database. So all the hackers have access to is that your password hashes into 9876543

What they can then do, is find a hash collision. Maybe the password ADG&!$J ALSO hashes to 9876543. That's the best they can do, is find something that looks the same as your password under the same conditions with the exact same algorithm.

So it's not a simple matter of them figuring out your password and then having access to everything. However, in the event that another website does use the same exact hash algorithm, then it would be compromised. They were using a salt in their encryption as well, so I don't think you have anything to worry about.
 
They can never figure out your password from this sort of stuff.

Not always true, I'm afraid. This is very much my turf (I'm the editor of two IT security journals and a Certified Ethical Hacker).

The hashed version of the password can't itself be used. And hashes can't be reversed - you can't 'decode' the hash to get the original password.

BUT... hackers use a technique known as rainbow tables. Essentially, they compile massive lists (numbering millions of entries) of passwords and their equivalent hashes. They then use the stolen hashes, check them against the rainbow tables and if they get a match, they know the password.

This isn't so easy if the hashing process has used a 'salt' - a piece of text added to the password before it is hashed. The addition of salts makes the pre-computing of rainbow tables too onerous to be practical.

So, if the website has followed best practice and used a salt and a decent hashing algorithm (eg, not MD5), and you've used a decent password (minimum 12 characters including upper- and lowercase, numbers and special characters), then you're pretty safe. But absent any of those factors and hashing isn't quite the guarantee of security that it was once thought.

And if the hacker is the NSA, all bets are off... ;)
 
My password is a random array of letters and numbers. Is there any way they can figure it out from the hacked encryption? I'd rather not have to change ALL my passwords

Actually you might as well change them anyway, you're just making your life harder and a hacker's life easier using that style of password. Mr. Monroe explains far better than I ever could.

password_strength.png
 

sfoster

Staff Member
Moderator
BUT... hackers use a technique known as rainbow tables. Essentially, they compile massive lists (numbering millions of entries) of passwords and their equivalent hashes. They then use the stolen hashes, check them against the rainbow tables and if they get a match, they know the password.

This is called a hash collision, as i've said, and is not your actual password. It just matches when ran through the same hash algorithm :weird:

it's not your actual password and wouldn't work on a different website with a different hash or salt.
 
I heard that if you use the method outlined in the above graphic, do not omit the spaces between words or it defeats the whole purpose.

Sounds plausible, though not many places allow either passwords longer than 16 characters or spaces - though one could simulate the latter with "_."

Figuring out if the entropy he used was with or without spaces is way above my pay grade in math though.
 
This is called a hash collision, as i've said, and is not your actual password. It just matches when ran through the same hash algorithm :weird:

it's not your actual password and wouldn't work on a different website with a different hash or salt.

No, a hash collision is something entirely different. Hash collisions are a weakness in the hashing algorithm. MD5 has been shown to suffer from collisions. A collision is when two different original pieces of text produce the same hash. This should never happen (that's the point of a hash). Hash collisions are an indication that an algorithm is flawed, but have no relevance to this discussion.
 
I heard that if you use the method outlined in the above graphic, do not omit the spaces between words or it defeats the whole purpose.

There is still some debate among cryptographers about whether passphrases using ordinary words are stronger than passwords. With services like Amazon's EC3 making near-supercomputer power available to anyone with a little money to spend, brute-force dictionary attacks render passphrases weak unless you also strengthen them with the same techniques used for passwords (numbers, mixed case & special characters).
 
Personally though I have 3 different passwords I use. One for total bullshit. One for my general stuff. And then one for top security.. my bank for example has a different password than my gmail account

This isn't necessarily secure though if you use that gmail address as part of your account anywhere. Once they have access to your mail account they can go request a password reset from any site that uses that email (which they can probably discover by searching your email history). Then they just watch for the reset email to hit your account, change the password on the other site, and then delete the reset email before you notice it.

With control over your email they can also more easily engage in 'social hacking' - for instance, they send an email to your wife "Hey honey, did you change the Wells Fargo password? I can't seem to log in". Since it comes from your real email she might reply back "No, it's still password12345" and they're in, without needing to actually hack anything.

So in general I'd say you want to consider email accounts "top security" - make sure you have a different secure password for each account, and that you don't use that same password anywhere else.
 
Top