34

I just checked https://haveibeenpwned.com/ and I have noticed that I was pwned, therefore I checked the file that hosts the details of my "credentials", however, I see my email in plain text but the password as a bcrypt hash.

Since hash functions are one way and cannot be reversed, should I still be worried and change all my passwords or am I being too paranoid?

EDIT: When I meant "all my passwords" I meant ones that are not closely relevant/similar to the exposed password. Obviously using the same password for almost all websites is quite stupid IMO.

EDIT 2: I would like to ask for all of you to not share any information about how it is done. Thanks for your understanding.

SergeantSerk
  • 393
  • 1
  • 3
  • 8
  • 17
    I've just mailed you with the proof that your password was leaked. Please check your mail, and change your password **as soon as possible**. – Benoit Esnard Mar 20 '16 at 22:30
  • 3
    @BenoitEsnard I am very curious how did you know his details and how did you mail him? – Ulkoma Mar 20 '16 at 23:47
  • Well that's removed since that website was under transfer as well... – SergeantSerk Mar 21 '16 at 13:54
  • 6
    The answer to "is it possible to get hacked" is always 'yes', no matter what comes after that part of the sentence. (Unless you're living in the woods in a grass hut with no internet. And you're a frog. Or a lizard.) – Tim S. Mar 21 '16 at 18:01
  • 1
    @Ulkoma There are many possiblities. The most likely (IMO) is that: 1. BenoitEsnard took the bcrypt hash, and extracted the salt and cost. 2. BenoitEsnard then started calculating bcrypt hashes of common passwords, using the extracted cost and salt. One of the resulting hashed exactly matched SergeantSerk's leaked/pwned/exposed bcrypt hash. This is an excellent example of why you should not use common/simple passwords, even if you're using them on a site that follows good security practice (which IMO would include use of bcrypt for password hasing). – Tom Dalton Nov 29 '17 at 17:04

2 Answers2

51

A brief overview of weak hash algorithms vs. bcrypt

With weak password hashing algorithms, what hackers will do is try millions, or billions of different combinations - as fast as their hardware allows for - and many easy passwords will fall quickly to rainbow tables / password crackers / dictionary-based attacks.

Attackers will try to compare a massive quantity of strings to your hash, and the one that validates is very likely your password. Even if it isn't, you can still log in with it because you've found a collision.

However, bcrypt is different. It's computationally slow, so this cracking will be slowed down immensely. Bcrypt can help slow cracking down to the point where you can only do a few tests per second, if that. This is due to the computational cost factor. You should read this answer by Thomas Pornin for a better explanation:

If the iteration count is such that one bcrypt invocation is as expensive as 10 millions of computations of MD5, then brute-forcing the password will be 10 million times more expensive with bcrypt than with MD5.

That's the point of having configurable slowness: you can make the function as slow as you wish. Or, more accurately, as slow as you can tolerate: indeed, a slow function is slow for everybody, attacker and defender alike.

So it really depends on the added computational cost. Some custom hardware solutions are able to crack bcrypt hashes at upwards of 52k hashes per second. With a standard attack, and a poor password, you don't have much hope of holding out for long. Again, this depends on the computational cost: even this custom hardware solution can be forced down to 2-5 hashes per second, or even slower.

Do not re-use passwords if you care about the accounts.


I already found your credentials, and "cracked" your bcrypt hash

But I won't hack you, don't worry. This is just to demonstrate why you should update your credentials, and stop-reusing your password. You wanted an answer, so what better than a live demonstration?

You're from the U.K., correct? Your bcrypt hash is also $2a$10$omP392PbcC8wXs/lSsKZ5Ojv9.wFQ7opUn7u3YUBNu0kkbff0rB.m, correct? I already "cracked" your password, and I know your accounts. I see you, a thief on the roof. My new satellite link has both infrared and the x-ray spectrum. I see your heart beating; I see you are afraid.

This should go without saying: you should definitely change your passwords. Start changing your credentials now... before it's too late. You should be worried, and you should change your passwords. Now.


Yes, bcrypt can be extremely slow, but...

I actually found a way to completely side-step the brute-forcing process with simple data aggregation and correlation. I wrote a little program that ties a few pieces of information together, and compares them. Not a password cracker or anything like that, but at the end of the day, it got the same job done.

For your privacy - and as per your request - I will not share how I did this on here, but you should know that I am not the only one who can do it. If I can do it, so can others.


However... you need to stop reusing passwords!

You really, really do not want to do this. If one site is compromised, having different passwords on other accounts protects the others from breaches as well.

Update all of your accounts, even ones you haven't used in a while, and stop reusing passwords unless you don't care about them. You may want to consider something like KeePass.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/37323/discussion-on-answer-by-mark-buffalo-is-it-possible-to-get-hacked-if-my-bcrypt-h). – Rory Alsop Mar 22 '16 at 09:40
  • 1
    I'm confused. I'm assuming the OPs hash was salted, so a rainbow table won't be a vector of attack. But as you said, bcrypt is supposed to be quite strong and computationally costly... Was the OPs password just really short and in the first couple of sets you tried? – fgysin Mar 22 '16 at 10:20
  • @fgysin Sorry for the confusion! I am speaking of general attacks against general passwords. Not just bcrypt/etc. – Mark Buffalo Mar 22 '16 at 11:54
  • 1
    @MarkBuffalo: Yes, but it seems from your answer that you have cracked a salted bcrypt hash. Wasn't bcrypt designed to prevent exactly this? Or is this some strange edge case which makes the attack feasible? – fgysin Mar 22 '16 at 12:19
  • 2
    @fgysin Sorry, OP does not want me to share how I did this. I have to respect his wishes. – Mark Buffalo Mar 22 '16 at 16:43
  • Plz hak me? I'm developing an app and I want to see how strong it actually is. – Tobiq Oct 09 '16 at 03:01
3

You can't decrypt the hash, because - as you said - hash functions can't be reversed.

You should still change your passwords. Attackers will try to bruteforce the hash, and - if successful - will try the credentials on your email account and possibly further websites.

As you mention "all my passwords" it should also be noted that you should not reuse passwords for anything that is remotely important (and your passwords should also not follow some common structure). For throw-away accounts weak passwords and password reuse may be fine, but for anything else, it is not, exactly because of situations like these: Once one server is breached, attackers will try the credentials on different services as well.

tim
  • 29,122
  • 7
  • 96
  • 120
  • 1
    Some hash functions (obsolete, or not intended for cryptography) can be very easily reversed. – SomeoneSomewhereSupportsMonica Mar 20 '16 at 23:28
  • 3
    @SomeoneSomewhere, so a function with variable length input and fixed length output can be easily reversed? it is not bijective; not even surjektive. How would you inverse such a function? – Tobi Nary Mar 21 '16 at 07:02
  • 3
    Note: collisions and finding pre-images might be simple. But that is not the same thing. – Tobi Nary Mar 21 '16 at 07:03
  • 4
    "hash functions can't be reversed" is so misleading as to be wrong. It is strictly true to say that hash functions can't be reversed, but what one can do (easily) is try lots of dictionary words and see if they yield the same hash. Given that most people use very guessable passwords that is very effective. (Technically of course, this may not find the user's actual password - it might just find a word with the same hash; of course the attacker doesn't care.) – Martin Bonner supports Monica Mar 21 '16 at 11:03
  • 5
    @SmokeDispenser: "reversing a hash" for a value *means* to find a pre-image for a given image. Since the hash function isn't injective there is more than one possible solution, and it doesn't matter whether you find the same one as the user's password or a different one, because they both work as login credentials. If the hash function isn't surjective then again that doesn't matter provided you're attempting to reverse someone's actual hash value (i.e. a value in the range of the hash function). – Steve Jessop Mar 21 '16 at 11:13
  • @SmokeDispenser: You probably meant *injective* instead of *surjective.* ;-) – Yuriko Mar 21 '16 at 15:28
  • @Yuriko I thought I had that covered as obvious with "bijective, not even surjective". It is obviously not injective and may not even be surjective – Tobi Nary Mar 21 '16 at 15:33
  • My bad, I didn't catch that meaning. I was too focused on the *"what do we need to be able to reverse a function?"* part – Yuriko Mar 21 '16 at 15:47
  • @SmokeDispenser: We are not trying to find the original input, we are trying to find *any* input that gives the same output. This is called a preimage attack. – Dietrich Epp Mar 21 '16 at 22:03
  • Exactly my point. It's not called "reversing", it's called finding a pre-image. – Tobi Nary Mar 22 '16 at 00:18