Wednesday, June 5, 2019

Who Keeps Actual Passwords in Their Security Control?

I got one of those "I have a keylogger in your PC, send me money or get exposed" emails.  It has a password that I have not used online for several years.  Unix systems only store a hash of the password (not as good as encryption; there are brute force methods, requiring several NSA's of computing power to try all combinations to see if they produce the target hash).

Are there other systems that do not encrypt the password?  This claims these are all false extortion schemes; having an actual password is the result of data breaches, not keyloggers or viruses; this site says there have been 9 such breaches involving my email address.  Many of these breaches included poorly encrypted passwords.

As I said, I do not use that password anymore and this doubtless one of these old breaches.

Received the exact same email from someone else.

3 comments:

Billy Oblivion said...

Unix systems only store a hash of the password (not as good as encryption; there are brute force methods, requiring several NSA's of computing power to try all combinations to see if they produce the target hash).

Almost all "professional" password storage systems, including Unix and Windows (and Active Directory) store a cryptographic hash of the password. Technically a "salt" plus a password.

It's actually *more* secure than an "encrypted" password because there is no key that can be stolen.

If you had a password database that stored "encrypted" passwords you would either need to have a separate database with the keys for those passwords, or a single key to all of those passwords. Either way the *same* attack that collects the password database would be able to get you the key or key database as well.

Unknown said...

If you go back decades ago that is true about UNIX has, but after that the major commercial Unixes like HP-UX, Solaris, etc along with Linux, BSD, and MacOS use encrypted shadow passwords.

Sigivald said...

"not as good as encryption; there are brute force methods, requiring several NSA's of computing power to try all combinations to see if they produce the target hash"

Especially a few years ago, I wouldn't expect most websites to use hashes that were remotely that secure.

Even today I wouldn't trust most of them to be using bcrypt and strong salts, frankly.

Though with the hardware the NSA has I doubt it'd take several NSAs, just a lot of their attention. I would not be the least bit surprised to find the NSA had a few conex containers lying around stuffed with FPGAs or GPUs dedicated to *nothing* but bcrypt hashing. And that's the non-paranoid assessment.

(I count myself lucky if a website's not just using md5, which has long had rainbow tables available.)