1

Recently my account in a social network has been attacked. The attacker managed to break the password, but thanks to the 2-factor auth, that wasn't enough to access the account. I have received a notification of an auth attempt and a one-time password

My password that was broken was pretty thick - it was long and contained letters and digits, there is no way someone could just guess it, so all I can think about is bruteforce. I have already changed the password, but it was used on some other websites, too, and that somewhat bothers me

I know that users' passwords are stored as hashes in websites' databases, and that hashes have such thing as collisions - when two different strings have the same hash. So it may be possible that the attacker didn't actually brute my actual password, but just some string which has the same hash as my actual password

My question is: what is the possibility of that? Does the fact of the password break necessarily mean the attacker now knows my actual password?

Andrew Che
  • 121
  • 4
  • 2
    `but it was used on some other websites` That's why people shouldn't do that. And bruteforce of a good password is less likely to succeed than compromising devices - do you have your password saved on your computer, maybe? And what makes you so sure every website owner uses hashes (at all, and/or with proper iterations, salt etc.)? – user155462 Mar 12 '18 at 12:20
  • @user155462 Afaik, no one stole my smartphone or laptop, or broke into my home to access my desktop. Plus, you have to login into my desktop on startup. I haven't logged in on some other devices lately, so I have no idea how that could happen. About hashes: it's a big and famous social network in my country, so I expect them to have proper security measures – Andrew Che Mar 12 '18 at 12:28
  • 1
    You're forgetting the internet. Physical access is not everything. ... About "big and famous", that doesn't anything. Big and famous companies get hacked at least weekly because of reasons like "forgot to not write my root password in the blog", depending on the exact definition of big. – user155462 Mar 12 '18 at 13:11
  • So, it appears that social network had some database leaks in the past. With plain text passwords, too. Nevermind the "big and famous"... – Andrew Che Mar 13 '18 at 07:30

3 Answers3

7

You are right that hash collisions are a thing, but it is not at all relevant to your situation. Collissions in a good hash function should be so rare that there are no single case of them known to humanity. So the probability that there exists two passwords on any brutforcers list that both give the same hash is very, very, very small.

So, someone knows your password. I can only assume one site where you used it was hacked, and attackers are now trying your password on accounts on other sites. The chanses are high that your accounts using this password without 2FA have already been breached. This is why you should not reuse passwords!

What to do then? You need to change your password on each single site where you have used this one, and you need to change them to unique and strong ones. No more reuse. This would be a great time to start using a password manager to help you remember all these new passwords you will need.

Anders
  • 65,052
  • 24
  • 180
  • 218
3

First of all:

Don't use the same password for multiple services.

For a better understanding of the (non)-importance of collision in regards to password hashing, read this answer.

To get to the real question here:

Does the fact of the password break necessarily mean the attacker now knows my actual password?

No, it does not. Becaue we do not know what hashing algorithm the site in question uses. It is entirely possible, that HMAC/SHA-256 is used AND it is poorly implemented, every password is hashed to the same value and therefore everybody can log in to everyone's account with a random password. Maybe the site was hacked, the passwords are stored in plaintext and are not hashed at all. Without knowing what is going on behind the log in prompt, it would be unreasonable to speculate about the information an attacker has.

Why? Because it is also possible - and I would say far more likely given the details in your question - that the attacker saw you typing in your password while shoulder surfing or got access to your credentials in another (very unspectacular) fashion. That is why you should immediately change your password(s) and scan your machine(s) for malware. and also don't use the same password for multiple services.

Tom K.
  • 7,965
  • 3
  • 30
  • 53
2

I know that users' passwords are stored as hashes in websites' databases

Well it should be like that, but some sites used to have poor security practices and directly stored plain text passwords or almost as bad encrypted passwords. Hope this cannot be true nowadays on serious sites, but I would not bet much on it.

But if a site is hacked, many things can be possible. Hashes do protect against user database theft. But what if an attacker manages to add some code that intercepts a connection attempt? That code would have access at the username and password in clear text and could send it back to the attacker. Here again, serious sites with nice security practices should detect an intrusion before the attacker could setup that all, but I would bet even less here.

And most of all what is one of the machines you used at least once to type the password was hacked? The attacker would just know the password...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84