Password crypt unsafe

[GodFarmer]

[Although I can't find any prior mention of this with the search function, this is probably not a very recent issue and it's probably not only addressed to version 1.5.0. However this release is one that promises to offer better security...]

Looking at some of the code of version 1.5.0, I suspect the password encryption can be easily made more safe by using crypt in a traditional way.

To store a given password in the database, it is crypted with the first two characters of the clear text password as salt. Similarly, to verify a password against the database, the first two characters of the given password are used as salt to crypt it before verifying it against the ecnrypted password retrieved from the database.

There are some problems with this: (1) because crypt returns the used salt as the first two characters of its output, the encrypted passwords start with the same two characters as the clear text password, hereby reducing the strength of the encryption from 8 to 6 characters because an attacker gets the first two characters for free; (2) two members with the same password will have an identical encrypted password (saving an attacker a lot of time).

What makes it really odd, is that this can be elegantly fixed by using crypt in the intended way. (Which is encrypting the clear text password with a random generated salt - which happens automatically if you call the crypt function with only one argument - and using the first two characters of the stored encrypted password as salt to crypt a given password if you want to verify it.)

Note that changing this would keep all old passwords working because the new verify procedure uses the same salt as the old one does in case the encrypted password start with the same two characters as the clear text password.

Regards, Bruno.

[mediman]

most hosts make use of md5, there isa no way to deencrypt! the code is secure as it is!

if you use standard DES...

medi

[David]

The problem without using a salt such as the first two characters is then the salt is random.  Meaning when someone goes to login the salt is different then when they last changed their password, which is not good.  What really should happen is moving to using md5 which I expect will happen in YSE2.

[GodFarmer]

You're getting me wrong. You only use crypt without salt when storing the password. When the users logs in later on, you use the first two characters of the stored password as salt (which are the same one that were before randomly generated).

Like this: (Example 1 from PHP documentation)

Code Select Expand

<?php
//Storing password
$password = crypt("My1sTpassword"); 

//Verifying user input
if (crypt($user_input,$password) == $password) {
   echo "Password verified!";
}
?>

Regards,
Bruno.

[mediman]

The problem without using a salt such as the first two characters is then the salt is random.  Meaning when someone goes to login the salt is different then when they last changed their password, which is not good.  What really should happen is moving to using md5 which I expect will happen in YSE2.

i have 2 secomnd that!

but @ bruno, i know not one yabbse board, which was hacked over the password!

medi

[kervel]

small example to illustrate.

my password is "secret"

yabbse: crypt('secret','se') using the two first letters of the plain text password as salt.

encrypted password is: sefjKaLm7zybE

now notice the encrypted password starts with 'se'. suppose i am an attacker. i take an english dictionary , and i look up all words that start with a 'se'. there won't be too much of them, and i will have found the password "secret" very quickly by just trying all the possiblities (this is called dictionary attack).

so using crypt() this way is not much safer than not using crypt() at all...

now suppose the proper use of crypt:

random() -> 'bl'

crypt('secret','bl') -> blRZeRor8Mgr2 (starting with 'bl')

another user picking the same password:

random() -> 'ar'

crypt('secret','ar') -> arxbmSLDgaJk. (starting with 'ar')

yup, two different encrypted passwords, so an attacker will still have to bruteforce the second one when he found the first one. and dictionary attack is much more difficult, because you have to try the whole dictionary.

[mediman]

now notice the encrypted password starts with 'se'. suppose i am an attacker. i take an english dictionary , and i look up all words that start with a 'se'. there won't be too much of them, and i will have found the password "secret" very quickly by just trying all the possiblities (this is called dictionary attack).

therefore we never use passwords wehgich you can find in diccionaries! ever use a mix between letters and numbers!

medi

[GodFarmer]

but @ bruno, i know not one yabbse board, which was hacked over the password!

This is because it's difficult for attackers to obtain the member table of the board. Once you have that table, it won't take much time to find the passwords of the members.

Now one could say "if the member table is usually well-protected, does it still matter that passwords in there are poorly encrypted?". I think that for two reasons it does:

(1) Board members should also be protected from the bad intentions or the carelessness of the board administrator. Of course the administrator can already do anything that any member can do on his board, but the member probably uses the same password for a zillion other things he certainly doesn't want the administrator to have access to. And I know that members shouldn't use the same password everywhere, but even if the member is stupid this does not justify to not offer him better protection when you can easily do so.

(2) YaBB SE should not give a misleading image of security by doing halfhearted one-way encryption of passwords: either they store them plain or with two-way encryption (so it's clear the administrator could retrieve them) or they use crypt the proper way (so you know you have the security guarantees that this normaly has).

Regards, Bruno.

[GodFarmer]

now notice the encrypted password starts with 'se'. suppose i am an attacker. i take an english dictionary , and i look up all words that start with a 'se'. there won't be too much of them, and i will have found the password "secret" very quickly by just trying all the possiblities (this is called dictionary attack).

therefore we never use passwords wehgich you can find in diccionaries! ever use a mix between letters and numbers!

Please see my other post: even if the member is stupid this does not justify to not offer him better protection when you can easily do so. And still: even with good passwords you lose 2 characters in password strength.

Regards, Bruno.

[kervel]

therefore we never use passwords wehgich you can find in diccionaries! ever use a mix between letters and numbers!

medi

well, i think most users do not use a perfectly random password, but a password where there is at least some correlation between the two first letters and the rest of the password. and maybe there are ways to exploit that correlation (a dictionary is just one way)

this is reality ! try it for yourself maybe... have a look at the encrypted passwords of your yabbse forum, and try to guess some passwords..

greetings,
kervel

[Jeff Lewis]

GodFarmer, why do you use two user accounts here?

I'm talking about Godfarmer and Kervel which are from the exact same IP address today...

[kervel]

And still: even with good passwords you lose 2 characters in password strength.

and that means, for 7-bit ascii passwords, a brute force attack (without dictionary) goes more than 16000 times faster.

8 chars -> 67675234241018880 possiblities to try
6 chars -> 4195872914689 possiblities to try
factor = 16129
the factor does not change for other password lengths.

[Jeff Lewis]

Now, you're quoting yourself?  

[kervel]

GodFarmer, why do you use two user accounts here?

I'm talking about Godfarmer and Kervel which are from the exact same IP address today...

hi, i am Frank Dekervel, and i am in the same university network as GodFarmer. we are behind a NAT firewall, so we have the same ip address for the outside world (bones.kulnet.kuleuven.ac.be is the firewall of the catholic university of leuven)

[[Unknown]]

Now, you're quoting yourself?  

Hahahhaa.... that's just such a good trait in a person, isn't it?  As I always say "quoting yourself is bad"... j/k.

This issue is perhaps a problem, and I'm sure (I think) that it will be looked at in the creation of YaBBSE 2.  However, I think it's not so critical as to warant change in the current release (imho).  If you want anything done about it, persuade someone (like me, just ask) to make a mod for it.  If you notice, mods seem to find their ways into the new releases of YaBBSE.

-[Unknown]