Disclosing Passwords Hashing Policies - Michal Spacek

okay it's time to get started again for those that haven't been into the room or been looking at shed for the last five minutes we have replaced the original talk that we are going to have now with adam cordell and we have replaced that with mikhail spochak from czech republic i'm absolutely sure this is going to be just as good as a talk as the one adam was planning and this is about disclosing password hashing policies michelle had been with us before our pastor's gone up to several times and yeah take it away

hi everyone my name is michael or you can just call me michal in check if anybody here speaks czech anybody here speaks czech oh yeah my girlfriend yeah that's enough yeah so my talk is about uh disclosing pass rushing policies and by that i mean you know companies who are storing user passwords they probably should do something to them something really nice not something nasty and they should tell us um or they should tell their users what they do to the password so i'm gonna talk about um who's doing who already who has already done that and how they do that and stuff like this so the duct tape here is um just you know if you don't want to

disclose any anything just put it over your mouth so that's why it's on the first slide and yeah let's go so um please raise your hands with a scene sometimes a message like this when you are trying to register your password must be 6 to 20 characters please raise your hand oh my god it's everyone almost cool now uh one more raising hands uh who has been already wondering why please raise your hands was one who was wondering why they do this okay cool me as well of course so you're not alone there are people also wondering why actually companies are you know um putting password policies like the the password must be maximum 20 characters

so uh sometimes they are just tweeting asking the companies why they do that like this guy um who i know he asked trippit like why do they um require him to have the password exactly nine to 64 characters long so he was wondering why do they do that and he asked and tweeted at them so people sometimes do that most of the times they just don't get any answer companies just don't reply at all well um sometimes the reason is that just the companies don't know why they do that because um what happened to me once when i asked uh that the guy who actually set up the rules he already left the company so the company didn't know what why do

they limit the length of the password and they tried to fetch the information for me but they failed so most of the times you just don't get any any answer if you ask which is kind of bad sometimes people are wondering or actually they are afraid that when the company is limiting the length of the passwords that they are storing it in in a plain text in the database because if you limit the passwords to say 64 characters they are afraid the users are afraid that the company is limiting the length of the password because they are storing the passwords in a database in a column which is 64 characters wide and they just cannot fit anymore so

sometimes users are afraid that the company is storing passwords in plain text if they limit the length of the passwords it might be true and it might not it actually doesn't reveal anything because sometimes the rules are there for just whatever reason but it's not the password storage so but it might be true it might not so um yeah uh this is a spell this is especially true when there is a password breach or database breach or database leak um in that very moment the people are more wondering actually and they are asking how the company is storing their password so if they store it in a really bad way or if they store it in a secure

way this is a i have a story from chatbot servers shitbow is a is a minecraft servers or is a company running minecraft servers and they got breached i think few months ago so they just announced it on on their forum and people started wondering for example like this guy froze j he asked what hashing algorithm was used for storing the passwords because uh the original announcement said only that the attackers got a hold of you know one-way encrypted passwords nothing else so he was wondering what hashin algorithm was used for storing the passwords he asked on a public forum and yeah so he got really interesting answers like this one from another member of the of the forum

and thanks bruce from passwordresearch.com for sending me this so i can use it in my talk um yeah if they told you that there will be no point in the encryption and there is a head bank emoji so yeah let's just not go into details here because you know hashing and encryption something different and getting hov's principle and yeah let's just let's move on well the official answer was this one it wasn't much better they said that don't worry the passwords were hashed and sold it and managed professionally no idea what does it mean they didn't specify the algorithm but they just said it was managed uh sorted and hacked professionally um i'll publish my slides then there is a link

if you want to verify it and check that and comment on that maybe i don't recommend it but yeah so luckily there are companies who are actually not afraid to completely disclose their password-reaching policies i'll wait the next slide for you yeah luckily there are companies who are really not afraid to disclose complete details what they are doing to user passwords like for example facebook this is a this is a screen from uh alec muffet talk from passwords 14 from norway which was the talk was about facebook password hashing policies and um you know authentication and everything so this is a this is a slide from the from his talk and this is what facebook

does to their passwords and they do a lot of things to the passwords but they have the reason for that uh seriously just i recommend to watch the talk because he's talking about that like for i don't know 40 minutes or something so um yeah they use several layers of that but uh at the core of it there's script here and some of some hmacs here they have reason for that so i will not uh i will not go into details uh seriously just watch the talk and but this is completely what they do to the to the user passwords and they are not afraid to disclose it and they are not afraid to tell us

there are other companies who are not afraid to tell us what they do to the to their passwords for example like uh like lastpass they just uh they have it also yeah facebook facebook did that in a talk so it's not somewhere on their side it's not on facebook.com it's just in a talk by a security guy from facebook uh lastpass they they publish it on their side and they say that lastpass utilizes the pbk something which shows something else to turn your master password into the encryption key they got more details there as well this is just a this is just a short short text copied from from uh from the side so they are also not afraid to disclose

how they uh how they store user passwords the same thing goes for for one password they are also not afraid to tell us what they do to the user passwords they have released 60 pages long pdf which completely describes the security design of their one password for teams and one password for families which is really nice and one password is also doing a really nice thing they are sending jeff to las vegas every time every single year i don't know why but thanks thanks yeah okay so there are also some other nice companies and smaller services which are doing the same thing they are disclosing how exactly do they store user passwords and um one nice example is scott helms report

uri report.io which is a service which is really nice service for aggregating content security policy reports and http public keeping reports really nice service for doing that and he's got this information this important information which says want to know our password reaching policies sure check out our frequently asked questions so he's got this on a login page and on a sign up page as well right next to the uh to the to the field where you enter your password right there it's just there which is really nice and these companies you know facebook's got a lot of private data last pass well probably as well um the same thing goes for the for the service uh they got a

lot of um a lot of reports of from government security policies so they are not afraid to disclose um what the how do they store user passwords there is more companies like this and i have actually started collecting them you know some people collect you know empty beer cans and stuff like this so i collect sites um this is my site um i call it you know my heart patriot czech and um you can find there a link to to to a subdomain called pulse i have uh several sides of that i will just show this show the site in a few seconds it's supposed to be a part of the biggest survey of the internet that's

why i call it pools because i got heavily inspired by work from 18f which is a us government something and they scan us government websites and they just publish the score how you know how good the encryption is there and everything so i want to do something similar but um i'm just using you know one-man show this is one-man show only so it takes more time but let's just move on um so this is why it's called pools because they call it pools as well so i got really really heavily inspired by that um the site looks like this um so i think i right now i have only 20 companies because it's not that easy to

you know get official information on how companies store passwords but so if you look at the site um here i have the company which is called datadock and site apedata.hq.com and they have disclosed that they use bcrypt for storing the passwords so there is more facts like this some of them are czech because i'm from czech republic so i'm asking the companies directly and they know that they should tell me because otherwise i'll just you know make a public pr for them really bad so yeah here are the companies and the sites and the algorithms they use i also came up with the rating system of how good they are so data dock is rated b

this company is rated f well we will learn um why so um wherever i have more details about the company or about the um the password hashing policy they use so i also try to put it on the side so here i have a check company which i was working for in in 2014 so we made a talk about uh what we do to our user passwords and um you can find it on also on my site that we use or the companies decrypt and cost is 10 and they also do some encryption on the hashes and uh they have disclosed it on on a twitter and in a talk um every time i put something into this

site into my site uh it must be already a public information i don't put anything um like you know because sometimes you learn how the companies are storing passwords just by doing let's say penetration tests and so i don't put it there it must already be a public information somebody already must have disclosed it somewhere in a talk on on twitter on facebook or in a docs or somewhere so every time i just put their disclosure and link to disclosures i also make the snapshot of the of the disclosure so that uh if they later think that it was not a good thing to to disclose it's still on the internet and it will stay on the internet

um yeah uh so a bit about the rating system i've come up with um yeah uh the rating system works like this um if you want to score or if the company wants to score a really nice grade in in my in my rating system uh it needs to use a slow hashes that means a b crypt i script pb key that thing and or argon 2 i call it slow hashes right now just for the lack of better naming and if you want to score really perfect um really perfect great like a you also have to disclose that in your docs because uh if you disclose it somewhere in the talk or or on in a blog

post or on facebook or on twitter it's it's hidden nobody will look it um nobody will look for it there because you know um the blog post they just you know disappear in time also that's true for twitter and facebook posts so if you want to score if the company wants to score a perfect perfect grade they just need to tell us uh you know right in the docks because uh that's probably where everyone if you are looking for the information that's probably where you want to look and where you want to look at you will probably not go through the block or facebook or twitters so that's why some of the companies even if

they use b crypt they have they have b they have grade b because they just tell us in a talk and not not that officially then there are other hashes um like you know show one to show three and and under md5 and if the company uses something like that md5 for show on show too and they at least sold it and stretch it and it means they do several iterations of that they score c um or if they just sold the hash they scored e and if just just use plain md5 or plain show one or something like that they score e or if they encrypt the passwords they just don't hash or if

they encrypted they just score e um it could be worse and yeah it could be worse f is for fail and that's plain text there are some companies who are storing plain text as well unfortunately so a and b are somehow safe cde c could be safe as well but we are not sure so these ones are not really nice and this is not nice at all so sharing is caring but some don't care so they don't share so is it okay to to share or disclose um the the the password hashing policy for the company well i think yeah i think it is okay especially if the company uses um you know bcrypt or script or or fun or

hashing functions designed to store user passwords if they don't use functions designed to store user passwords like md5 or i don't know show one or something it's better for them to fix that to use something better and then they can disclose it because um yeah there is no point in not disclosing that if it's if it's facebook and lastpass and onepass for disclosing what they do to the passwords you know there's no point in hiding that so um some companies are afraid that if they disclose what they do to the user passwords that they will get hacked that they will get they will become a target well um i have big i have bad news for them

they already are a target and i'm not talking about target the company well so uh this is a data doc i have data doc on my screenshot somewhere here i think yeah it's called b because they use uh they use bcrypt and um they have they use bcrypt and they have been using bcrypt even uh even before the data breach that has suffered like i think a month ago so they were using bcrypt and they they got hacked as well so um it doesn't really matter how the company is storing the passwords because um companies get hacked and they will get hacked even if they just use whatever they use um it's it's worse if they use plaintext or

md5 or plain show one or something like that but they will still get hacked there is another company who got hacked uh even if they were using bcrypt and that's called actually medicine but i think that the the motivation for hiking engagement medicine was completely different than uh than user passwords but still even if they disclose what they use they get hacked and even if they don't i think the data dog didn't disclose before they get hacked and they still get hacked so there are some tricks for the users how they can actually investigate how the company is storing the user passwords one of the tricks is here it's it's exploiting the php's feature of comparing two strings

so it works like this if you are able to sign up to a site with the passwords two four zero six something like that and then you are able to log into the site with this password q and key or something then uh you can be pretty sure that the company is using plain md5 to store user passwords even without the company telling us well so this tricks works like this um the hash of two four zero something something is starts with zero e and then there are some more adders the same thing goes for nd5 from q and blah blah blah the hash is also 0 e and something for php if you take

two strings which start with 0 e and then something then php compares them as zeros because it's it thinks that it's zero exponent something like this so so they just compare php compares it as zeros yeah exactly so it's possible to detect the password hashing policy if you are able to sign up with this password and then log in with this one uh there are more examples like this um it works also for show one and for plain text as well i got them on my github and you can try that if it's if it doesn't work it doesn't mean that the company is not using md5 they can be doing something else like you know they can just they can be

comparing the strings with uh three equal signs not just two but uh if it works then it's md5 definitely and i've found one side um who one side storing passwords in plain text just using this uh or similar trick so even users can do detection themselves they just don't need the company to disclose that uh yeah um yup so does that mean that i'm afraid yeah so does that mean that one in 256 passwords is is subject because it i mean one in 256 hashes would begin with zero e if if they're if they're comparing this way this is yeah but it depends on how they are comparing that if they will be comparing that with the three equal

signs then this doesn't work but um i think that anyone who uses md5 is already comparing just with two equal signs um or they can be just you know uh fetching the data from the database in a different way but if they are using uh two equal signs here uh then yeah exactly it's less likely than that because all the other digits need to be called the other characters yeah exactly yes they need to be yeah it needs to be hexadecimal string yeah thanks

so yeah sometimes you can just use this slides can be made available online yeah uh anyone else can i go to the next slide right now just asking so um even if the um you know people are able to tell what the hash is just by looking at the hash so if the database leaks then um you just look at the hashes and you're pretty sure that you know this is not a b crypt who thinks this is a big crypt ash oh great so this is md5 so just by looking at the hash you will know that this is md5 or show one or or or a big redhead or something like that so

even if the company gets hacked there's no point in not telling us what exactly they were using for storing the um the user passwords there is a nice example um from antony ferrara who has done this he wrote an application gestureupspot.com and uh he tried to prove that you know security through obscurity doesn't work he has done that uh yeah he gave the users uh two passwords one his password the other one is apple he gave them two salts per the password and he gave them resulting hash what he what the site was missing were the exact algorithms how the hash was calculated so he just gave the user's passwords and the salt and the resulting

hash and uh he gave the users i think it was 15 different algorithms like this and the goal was to come up with the hash of a password foo and sold without actually knowing the algorithm so you had to reverse the algorithm the hashing algorithm you had to reverse that and calculate a new hash for for a new password just by looking at the hash and knowing passwords and salts well that's quite um interesting well the results were really uh nice so there were people i think it was 15 algorithms in total and there were 14 people sorry there were three people who have found 14 of the algorithms just by looking at the hashes just by looking at

the hashes and trying to calculate the passwords and everything there was one guy matthias globe who has actually hacked the app and made it made the app and made the server leak the algorithm somehow so he found a misconfiguration but he was able to to generate all the 15 15 algorithms so just by looking at the hashes people are able to reverse that even if the algorithm is more uh more even if the algorithm is different than just plain md5 or something antony was doing some really weird things to do to the passwords like you know making them reverse and stuff like this i will just not disclose any details if you want to try that just go ahead

uh so just by looking at the hashes even if they are not playing md5 or plain show one just people are looking uh people are able to reverse that quite easily um if any site is using any open source software they are actually disclosing by by design they don't need to even tell us because you know open source software it's just open source so uh so people can look at that and just tell how exactly the site is storing user passwords uh also open source software makes it quite easy to fix actually security bugs in a in password storage uh i have an example here uh this is um prestashop they were using they were using plain md5 to store user

passwords now actually they were using salt as well but it was a static salt it was a result in a configuration so the salt was the full result was the same for uh all the user passwords and somebody told them that hey you you guys should switch to bcrypt from md5 so they did that they did it like this they were calling passwords which is a php function to calculate the bigrid hash and they prepended uh sold to the user password the thing is that the salt was uh 56 characters long and you know b crypt is trimming the passwords at 72 characters so 72 minus 56 i think it's something around 16 maybe so they were actually truncating user

passwords at 16 characters without you know even telling the users uh this was a security issue um i was able to fix that just by looking at the code and you know making a pull request just fixing it in in a few minutes so that's what i like on on open source that you can actually fix simple things or not that simple quite important things like really really easily um they got more issues here like you know they call it crit shop256 for whatever reason and they just call it encrypt not hash but i have fixed that in in in next revisions so that's fixed as well so yeah so i think that it's okay to disclose uh

how the company is actually storing passwords because uh the company doesn't need to be afraid there are other companies disclosing passwords like facebook and twitter as well and just look at my sites there are some nice companies and it's okay to disclose how the company is storing the user passwords especially the site uses um so-called passwords pcrypt script pbk something and are going to and if this if the site is not using any of these uh special password rashes they should just fix that and then disclose and they should definitely let me know so that i can put them on my site because i think that uh if they appear on my side with uh nice

grade that uh the users will love it more because they can feel more you know confident that the company um knows what they are doing and stuff like this uh even if the company is using you know um hashes like md5 and they switch to bcrypt um the users will quite love it because they were like oh yeah you were doing something wrong before but right now you are doing something nice and you are not afraid to tell us that you screwed up before so yeah i've been there and done that as well so i think it's okay to disclose especially if the company is using slow password hashes and yeah that's it from me i think

yeah there are some questions thank you oh thank you questions arnold one quick question in your a and b reading ratings it wasn't so clear from the slide are you requiring salt for the a and b readings uh sorry are you going are you requiring salt uh for the a and b yeah because all the all the algorithms like bcrypt script uh and the other ones they all they already required assault so yeah yeah i'm yeah oh jeff okay just simple one um are you familiar with plain text offenders yeah i am okay yeah i'm just wondering whether you yeah um i want to take it to a slightly different direction because plain text of

offenders is more like just a shaming but i want also want to you know thank the companies for doing great job so yeah i know them yeah um uh you know you said it's it's possible to tell the difference between different hashes but can you tell the difference between just looking at the hash of something without the password of what's an s-crypt b-crypt and what's using pbk df2 or three is it possible uh most of the times yeah because big crypt usually starts with a dollar sign to something the dollar sign so that's a big crypt the script is slightly longer and yeah sometimes it is possible i think it's most of the times yeah yeah

okay it probably if it will be encrypted or encrypted i'm sorry encode it to base64 it could take some more time but i think that it's possible yeah more questions your uh pulse project is it possible to contribute or is it closing yeah definitely it's required to contribute okay it's it's mandatory to contribute and how do we do that just tweet me or send me an email to a link to a public disclosure because i can build in this short bruce from password research already done that they he sent me like three links to to sites who are actually disclosing there is a password so yeah it's mandatory i cannot do this alone thanks you know this this has been an ongoing

discussion for many years that passwords come we are still fighting to to make companies to disclose how they are storing your passwords and my own personal opinion on this is basically that you know if they don't want to disclose you should just you know expect the worst expect the worst yeah it's like either you can be on the good list or i will put you on the list it's it's that simple oh i will probably rename my project yeah i mean over and over again for every new leak we see we see unsold md5 still going on we still see a unsalted shower one and we see all kinds of bad implementations it's like somebody i'm not going to say who if

it is border directors or if if it is the developers but somebody is just not watching the news for the past 10 15 years about all the leaks it's like oh there's a leak well the obvious question anybody on the survey on the ball directors should be asking their own organization is how do we store our customers passwords they don't they don't ask those questions they just assume well we're not stupid so this is not never going to happen to us and we need to change that so again thank you maybe one remark i was talking about actually medicine that they are storing passwords in decrypt but they have done something really bad to the pastors

as well they were storing them also in md5 like besides the big grip passwords so uh if the company scores uh a or b because they tell us that they store passwords in bcrypt they can they still have a lot of opportunities to screw up but this is not possible to verify um we just need to trust them if they tell us that they use b crypt we just need to trust them that they use the b crit so it's not really possible to verify it without hacking the company and i'm not going there so yeah and if you're interested in the ashley madison case as well uh sooner sure prime which is one of the

really good groups doing password cracking for cracking if you can and and other password hashing uh cracking competitions they did a talk at passerscon at the university of cambridge in uk last year where they talk about the well the how ashley madison had done pretty much everything wrong in their password implementation so initially be crypt oh look looks good and then you know kabu okay so we're going to take a break until 12 and the next speaker up is bruce marshall who will also do a really uh interesting talk about how you should be proactively handling password breaches from other sites to your benefit pretty much so back again at 12. thank you thank you