Today, Cybernews announced a 16 billion credentials exposure, adding weight to the announcement by mentioning Apple, Facebook, Google. I find it curious that services like popular banks or trading platforms aren’t mentioned, as anything involving money adds much more weight and grabs attention, so I’m wondering if they are not part of the breach, or not mentioned for some other reasons. Either way it’s interesting.
The word “breach” doesn’t quite apply, as leaked credentials were supposedly harvested by infostealers. Meaning that there was no single or even multiple incidents, the credentials were collected via millions of small programs installed (knowingly or not) by millions of users, which silently extracted saved passwords, tokens etc.
Nevertheless I quickly verified if anything changed in the way OWASP recommends to manage passwords, and fundamentally it hasn’t changed much in decades – good old salting and hashing. There are changes in the recommended parameters that define how expensive it is to guess (e.g. memory, iterations) – work factors. It also appears that the recommended hashing algorithm is now Argon2id (introduced back in 2015.)
Quick refresher: modern passwords hashing
Just using a CLI to simulate the modern process of hashing a password:
- Produce secure salt:
$ openssl rand -base64 16
vtdiI8Ybw2Ph5IfJ1sQbsw== - Hash using the salt:
$ echo -n "TestPassword" | argon2 "vtdiI8Ybw2Ph5IfJ1sQbsw==" -id -m 16
Type: Argon2id
Iterations: 3
Memory: 65536 KiB
Parallelism: 1
Hash: 124e695563e4f01754effaf335b0db70de3ea907e41dae89c412870635c72da5
Encoded: $argon2id$v=19$m=65536,t=3,p=1$dnRkaUk4WWJ3MlBoNUlmSjFzUWJzdz09$Ek5pVWPk8BdU7/rzNbDbcN4+qQfkHa6JxBKHBjXHLaU
Interestingly, Argon’s Encoded string contains everything needed to verify the password later – all work factors and even the salt. So all we have to store now is just that one line. The original salt is base64-encoded and sits right between the $ symbols:$ echo "dnRkaUk4WWJ3MlBoNUlmSjFzUWJzdz09" | base64 -d
vtdiI8Ybw2Ph5IfJ1sQbsw==
When implemented correctly, password hashes like these are extremely difficult to crack. ChatGPT estimated that cracking the example above would take about 7000 years, and that’s even with no numbers or special characters in the password.
But no hashing can help if the password is stolen right when it’s being typed on the keyboard, so please don’t click suspicious links and don’t download untrusted files.
Leave a Reply