Give me your password and I’ll tell you if it’s strong.
People with ‘weak’ passwords get hacked, so you need a strong one. Not sure what a strong password is now? That’s fine, tell me it and I’ll use an algorithm to calculate mathematical entropy, or I’ll check a list of common passwords, or… whatever, but at the end I’ll give you a score and tell you how many second/months/millennia it’ll take to crack.
Give me your password and I’ll help; you can trust me, I’m a webpage!
This is one problem with password-meters. There are plenty out there, but what do they measure? And can you trust typing a real password into them? Troy Hunt – the guy behind Have I Been Pwned – pushed out a resource recently that goes a long way to resolving this.
Maybe you’ve already come across Have I Been Pwned (HIBP)? It’s been in the news quite a lot. Essentially, if you put in an email address, it warns you if that accounts credentials have been leaked in any breaches. You can also sign up to be notified if you appear in future breaches. It’s a great service that numerous governments now use.
Last August, Hunt added the PwnedPasswords feature. Essentially, if you gave it a password, it would tell you if that password was already known from a breach somewhere.
Why is this useful? Think offensively: you’re the attacker and want to crack some passwords, but you know that random guessing (the ‘brute force’ attack) takes forever and burns through however much time/money you have. Then looking through past breaches, you notice ‘applepie’ has shown up a lot of times (22,855). Looking more you see ‘idontknow’ (39,822), ‘changeme’ (54,824) and ‘******’ (17,548) turn up a lot. You see keyboard runs are also popular: ‘qazxswedc’ (39,468) and ‘qwerty’ (3,599,486), and the king of them all ‘123456’ (2,760,336). It seems people are pretty predictable. Faced with a password to crack, aren’t these easy wins worth trying out first? Yes! And before long you have a ‘dictionary’ of these common passwords.
NIST rightly warns “attackers are likely to guess passwords that have been successful in the past [including] passwords from previous breaches.” This is a dictionary attack.
So defensively: if production-use passwords have already shown up in breaches, attackers are far more likely to guess them. This can be a significant vulnerability.
But how do we test for this with production-use passwords? Password, like toothbrushes, should never be shared. For this service you needed to share password data with some web app.
Troy Hunt knows what he’s doing when it comes to building a secure service – he teaches courses on this – and if you follow his blog you’ll see he works hard to keep things ethical. But are you ready to hand over production-passwords? The site even warned “Do not send any password you actively use to a third-party service - even this one!“
So it was great news this February when, thanks to Hunt’s hard work and input from one of CloudFlare’s experts, Pwned Password version 2 was released. It could now check your password without seeing your password or even seeing a full hash! But how?
If this starts to sound like techno-babble, feel free to jump to the end and grab the tool from my github repo and have a play. It makes more sense to see it in action. You’ll need Python 3 to run it.
How does Pwned Passwords tell if your password’s been breached without seeing your password?
Step 1: your browser hashes your password client-side (i.e. inside your own machine) in SHA1. This produces a string of numbers and letters that make a strongly unique fingerprint for your password.
Example Password: beepboop
SHA1 hash: 9018F21E83CE46F3EA2E3B73E5D75ECE75407DF7
Step 2: Instead of sending the password itself, or that highly unique hash, your browser only sends the first 5 characters of the hash – not nearly enough to uniquely fingerprint your password.
Example request: range/9018F
You can mimic this request by visiting this URL: https://api.pwnedpasswords.com/range/9018F
Step 3: The service responds with the several hundred hash-suffixes that begin with the given 5 characters and a count telling you how often each hash has shown up in HIBP’s prior breaches.
Step 4: You/Your browser searches the list for the matching hash-suffix, accompanied by a count:
The hash matching the example password ‘beepboop’ has shown up 186 times before. In other words, this password has already been leaked for people nearly 200 times.
The service doesn’t see what happens at your end – it only sees those 5 characters you submit. Your password could match any of those 300+ hashes in the list it returns or could be something else entirely. If your password is something else, having the start of its hash doesn’t help in any attack I can imagine. It’d likely be easier to brute force a password than do anything with this.
A Free Tool
To open up the working of Pwned Password for a class I ran, I put together a simple graphical tool that exposes how the service works from the client side. Feel free to have a play.
You can grab it at: https://github.com/mr-brad/PwnedPass-tool
I’ve tested it in Python 3.6 under Windows and a few recent versions of Linux. All the source is there, and I’ve put it under MIT licence meaning you’re free to copy it, play around with the code, and use it however you like (at your own risk of course).
I’m not the only one won over by this approach. 1Password, World of Warcraft, Eve online and various other services have now built this into their password checkers. There are even browser plug-ins. And if you don’t want to interact with the service at all you can download all the hashes and do everything completely off-line.
So here, a ‘strong’ password is one that’s never shown up in a breach before. I feel this is a very practical definition for most cases. That said, passwords like “LetUsIn” and “PA$SW0RD” can still get through, and these could be cracked in other ways. In short, blacklisting ‘Pwned’ passwords can be a solid cornerstone of password security but should not be your only measure – at the very least there should be a minimum length as well. If you’re building or testing a system NCSC and NIST give excellent, detailed guidance.
If you want to learn more about thinking offensively, have a look at our offensive courses, CTF challenges and ethical hacking certifications. If Pwned Passwords helps you out, look up Troy Hunt, and buy him a drink – he did all the work here!
With services like this we’ll turn the tide.
Sign up to our FREE Password Security event on the 30th July 2018.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.
Brad has worked across IT for many years; from installing, managing and troubleshooting systems, through coding and scripting, to running security and configuring firewall, IDS and network policies. Brad has been training tech for almost a decade and holds certifications from Microsoft, Cisco, CompTIA, ISC2 plus many more. From an electronic engineering background, Brad enjoys investigating different systems and finding new ways they can be manipulated. Brad mainly trains Offensive Security, Intelligence Gathering, Security Management and Cloud Computing. Brad is also GCT certified to deliver GCHQ certified courses.