Sorry for the lack of updates for the past month or so, there have been some major life changes going on which give a new level of meaning to this blog’s title.
My family has relocated to Ann Arbor, MI.
It was a coincidental alignment of events that led Arboreal Security to be based in Ann Arbor, but it really feels like things fell into place like this for a reason.
Now that I have finally settled in a bit, I can get back to highlighting notable security developments and whatnot.
There were some more major password hash dumps revealed this past week. (The release of 420k Formsping hashes was likely hilarious to a segment of the population).
After some great in-depth research, someone discovered that although the password hashes were randomly salted, the random salt was just two digits pre-pended to the password hash. Although any salt is better than none, this is pretty poor security. Let’s say for example, that it takes one day for an attacker to run a list of hashed passwords through a dictionary crack. Salts defend against the dictionary attack, since the salt must be added to each dictionary term, hashed, then compared. With a strong, random salt, this makes dictionary cracks unreasonably time consuming. However, with only 100 different salts available, in our hypothetical situation, the whole password list can be run in about 3 months.
It’s slightly better than not salting at all (or not even encrypting…Hello Yahoo! Voices), but still this is yet another shining example of not doing it right.