9

We are saving password in a database using PHP:

return hash('sha256', PASSWORD_SALT . $password);

Recently a (fortunately) good hacker SQL-injected us and cracked some passwords including the admin one.

The story did not ended dramatically or terribly like in Hollywood movies, because he was kind enough to point us the holes. (We "thanked" him accordingly.)

Now that the holes have been patched, we are afraid that there might be some holes somewhere else as the code base is large. The questions are:

  • How on earth did he crack the password so fast (few hours to less than a day)? PASSWORD_SALT is quite long, stored in the source code and he did not have it. Also, a blank password is not accepted in the PHP code.
  • We assume we should change the hash/encryption for existing and future passwords. Which encryption do you recommend so that the exposed password is more secured?

He told us that he use some software and dozen of desktop machines available to him in his company. He said he is a bored security expert in some large firm, so he has the means to do stuff.

Anders
  • 65,052
  • 24
  • 180
  • 218
Phung D. An
  • 1,051
  • 2
  • 11
  • 13
  • 2
    See also [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – Sjoerd Jun 20 '18 at 13:32
  • 3
    Have you tried asking the hacker how he could crack the passwords so fast? – Sjoerd Jun 20 '18 at 13:32
  • @Sjoerd : we asked, he told us that he used some software and dozen of desktop available to him in his company. He also said he is a bored security expert in some large firm, so he has the mean to do stuff. Also, we have google and read alot of stuff, but they just make us more confused. – Phung D. An Jun 20 '18 at 13:36
  • 1
    Was it possible to set a blank password? If so, would get the hash of the salt on it's own to crack, which could then use to crack other accounts. – Matthew Jun 20 '18 at 13:40
  • @Matthew : the UI does not allow blank pwd but he might have done some trick, good point. I am looking at the source code and NO, he can't – Phung D. An Jun 20 '18 at 13:46
  • Ultimately, I think you're going to need him to show you what he did, we can give our thoughts and ideas but they won't confirm how he did it. You really need to speak to him about it in greater detail. –  Jun 20 '18 at 13:53
  • @JoshuaJones : ok, thanks. I guess we should try our best to let him spill out how he cracked the pwd. – Phung D. An Jun 20 '18 at 13:56
  • There will be plenty of people here who can theorise and you can make your own theories too but it won't get you a definitive answer you will *only* get that from the person that carried out the attack. –  Jun 20 '18 at 13:58
  • Please define "quiet long": how many characters, from what set? – Xenos Jun 20 '18 at 15:18
  • 1
    I'd suspect the attacker was able to set an arbitrary password (possibly blank, possibly an injection itself to show your code or something) to help get the "pepper". You said the UI doesn't allow it, but does the server code enforce it? The attacker probably won't be using the UI. – Ben Jun 20 '18 at 15:53

3 Answers3

16

First of all, what you call PASSWORD_SALT isn't really a salt. A salt is different for every password, and stored in the database. What you have is something that is shared by all passwords, and stored in the source code. That is commonly called a pepper.

So how did the attacker crack your passwords so fast, without knowing the pepper? He probably created a new user for himself, so he has one user for which he knows the password. He can then try to brute force the pepper on that user, since he knows what password he should concatenate it to. The key here is that he does not have to crack the pepper and a password at the same time. He can first crack the pepper, and then crack passwords. This is much, much simpler.

A single iteration of SHA-256 is not a good password hashing algorithm. It is way to fast. According to these benchmarks for a 8x Nvidia GTX 1080 setup, you can try around 2 billion hashes per second. If we give the attacker 12 hours, that's almost 1014 hashes. On average, that's enough to crack a pepper with log2(1014) - 1 = 45 bits of entropy. That corresponds to, for instance, 10 random lower case letters.

Once you have the pepper, you can start cracking passwords. Since they probably have lower entropy than the pepper it should be much quicker.

For how to do password hashing right, see this question.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • I accepted this answer as it makes sense to me and clears things in my head. He did create an account (and used that to showboat us haha) Side note: the opensource call it SALT, not me, I barely understand salt & pepper. Thanks !!! – Phung D. An Jun 20 '18 at 21:31
2

How on earth did he crack the password so fast ( few hours to less than a day), PASSWORD_SALT is quite long, stored in the in source code and he did not have it. Also, blank pwd is not accepted in php code

Well, i'am sure that he used one or more computers with build in GPU's. Maybe he is running multiple GPU's in CLI Mode. What that means is, that multiple GPU's like the GTX1080 accomplish the same task for one operation. In this case hashing strings in SHA256 from a password list and compare it with the hashed password strings he found in your database.

To give you an example how many passwords the GTX1070 can hash and compare in a second, i will refer you to this blog I found: https://hashcat.net/forum/thread-5440-post-31067.html

In this example the tester used a EVGA GeForce GTX 1070 SC GAMING ACX 3.0 on a Windows 7 system. The GPU managed to 'crack' 2117.4 MH/s for the SHA256 algorithim.

Then he try to crack at least a few passwords, compare them to each other and where able to determine the salt. With the knowledge how the salt looks like he created a new passwordlist. Starting with the salt followed by his normal passwordlist.


We suppose we should change the hash/encryption for existing and future passwords. Which encryption do you recommend so that the exposed pwd is more secured ?

When a hacker where able to gain hashed passwords it's a matter of time depending on the hash algorithm how long it takes to decrypt most of the passwords. I don't want to recommend a algorithm, because it strongly depents on your computational capability and the loading time. But if you want to get a idea which algorithm is stronger than the SHA256 take a look at password cracking benchmarks: https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40

Stronger password policys where another way to delay a cracking process or make it impossible for the hacker to guess the correct password.

ZiY5kE
  • 31
  • 3
  • 4
    This answer doesn't explain _how_ he was able to crack the salt (which is actually a pepper), and it perpetuates the misconception that hashing is the same as encryption. – AndrolGenhald Jun 20 '18 at 15:07
  • Accepted. The hacker just confirm that as long as he has the hash, he will have enough computing power to brute force it. He is kinda a pro one. He also suggested using php built in password_hash(). But I guess I need to 100% sql inject proof, then hash later. Thanks – Phung D. An Jun 20 '18 at 15:15
  • @AndrolGenhald edited from encrypting to hashing. – ZiY5kE Jun 20 '18 at 15:17
  • @AndrolGenhald : the hacker told me that he only need the hashed password, don't need the salt. How he do it, he said he will never tell. I have to believe him as he successfully hacked us – Phung D. An Jun 20 '18 at 15:19
  • @PhungD.An glad i could helped you – ZiY5kE Jun 20 '18 at 15:21
  • @ZiY5kE : thanks, I barely understand your links. Can I ask an extra question: What is the hardest algorithm to crack? How long it would take to crack an encrypted admin pwd with that hard algorythm (estimation is good enough ) ? – Phung D. An Jun 20 '18 at 15:28
  • @PhungD.An: sure! As I can spot in the link I've sended you the GPU needs the most time by hashing VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit. – ZiY5kE Jun 20 '18 at 17:10
  • Its hard to say how long the hacker needts to crack a specific password. It depends on his passwordlist he created. For example lets take the common rockyou.txt passwordlist. The list contains around 14000000 passwords. The GPU in the links example can hash around 74 hashes per Second. This means: 14000000 / 74 = 189189 second / 60 = 3153 minutes / 60 = 52 hours As we can see the hacker needed 52 hours to try the passwordlist. – ZiY5kE Jun 20 '18 at 17:20
  • @ZiY5kE That benchmark is a bit useless for the purpose of determining the strength of any modern password hash where cost can be adjusted. It sounds like the bcrypt benchmark used a cost of 5, which is lower than the original default of 6 in 1999. Nowadays a cost of 12 is the common recommendation. If you do the math and divide the 105700 in the benchmark by 2^7 (difference between cost of 5 and 12), you get about 826 H/s, which is much more reasonable. – AndrolGenhald Jun 20 '18 at 17:30
1

I am skeptical that your description of the circumstances is accurate and reliable. In particular I find it really hard to believe this bit:

PASSWORD_SALT is quite long, stored in the source code and he did not have it.

I read this as a claim that PASSWORD_SALT was secret and impossible for an attacker to guess in any practical amount of time (in technical terms, that it has high entropy). But if we granted this claim we'd have to conclude that the attacker defeated the preimage resistance of SHA-256—that, given nothing but an effectively random output value for the hash function, they were able to find an input that yields that output. And not just any one such input—one that just happens to be prefixed by your supposedly secret, long and unpredictable PASSWORD_SALT.

But of course your hacker did not in fact discover a catastrophic break in SHA-256. So I think your understanding of the circumstances has to be inaccurate. Either:

  1. The hacker actually managed to see your code and learned the value of PASSWORD_SALT;
  2. Your value for PASSWORD_SALT actually is easy to guess by applying the same methods as normally applied for password cracking. Anders' answer's suggestion that the attacker may have created an account with a known password is a plausible method for doing this—cracking a low-entropy salt given knowledge of the password is the same problem as cracking a low-entropy password given knowledge of the salt.

We assume we should change the hash/encryption for existing and future passwords. Which encryption do you recommend so that the exposed password is more secured?

If you're using PHP, recent versions have excellent built-in password storage functionality.

Luis Casillas
  • 10,361
  • 2
  • 28
  • 42