Friday, September 23, 2016

Not a lot of "yahoo" at YAHOO!

-snip- update 16 DEC: With the recent announcement of yet another Yahoo! breach, this time in 2013, I no doubt expect that the information below applies to data from 2013, not just the 2014 breach anymore.

There is little on the "oh no!" scale that can beat waking up to hearing that over 500 million user accounts have been compromised on a very popular portal.

Unfortunately for YAHOO! such is the case. Well, such was the case - in 2014 - when the breach supposedly occurred. Comments from the company seem to indicate that there was an idea, albeit not confirmed, that there might have been a compromise, but until now it was not cast in stone. As of yesterday, YAHOO! has confirmed that the breach did in fact occur, real data was stolen and that data can/could include email addresses, passwords (hashed), address information, telephone information and so forth.

The prime suspect appears to be a nation state actor, or actors. Until more information on this becomes evident however, it may not be wise to start pointing at possible targets.

What we want to focus on, is the passwords aspect of the breach. The passwords were hashed using the bcrypt algorithm, although some information coming forward indicates there may be mixed hash types - possibly from imported/merged sites that YAHOO! took over. Either way, the majority are bcrypt according to YAHOO!.

Bcrypt, based on the Blowfish cipher is no small fish when it comes to password security. It is harder to crack (especially with brute-force techniques) than many other widely used hash algorithms, and it is generally very "slow" to attack as it is not efficiently processed by GPU-based cracking software.

Of course, the real matter is not so much the algorithm but the passwords. Bcrypt may be slow to crack,  but if passwords like 123456 or password1 are in use, they are going to fall pretty quickly when cracked, Bcrypt or not. At 500+ Million hashes - assuming all accounts had a hash - there are going to be a lot of "easy" passwords.

So what is an "easy" password for YAHOO!? Let's examine their password rules from around 2015;

Note: I obtained this information from YAHOO! help sites, and other sources. If incorrect please let me know.

Password Length : Minimum of 8, Maximum of 32
Complexity : No plaint-text only,  requires mixed alphanumeric.
Password History : Yes, cannot use previous.
Password Tip : "Mix up lowercase & uppercase letters, numbers and symbols to create a strong password (instead of a weak one)."

From the above, a few things are clear. Firstly, YAHOO! is not the worst candidate for user password requirements out there. Secondly, they avoided and checked for plain words so hopefully, "password" will not account for hundreds or more of the passwords in the leak once cracked.

However, where the above requirements do fall a bit short is;

  • A minimum password length of 8 should really be at least 9 or higher. 
  • Their "tip" says use lowercase, uppercase, symbols, numbers etc - however their password verification only checked if you had used alphanumeric. i.e, instead of )ThE00Big#BrownFOX$ you would be allowed to use thebigbrownfox1
  • A maximum of 32 characters may not fit the needs of those using Password managers such as 1Password that can do much higher candidates, and allow one to have high levels of complexity in their password. 
Given the above, we therefore are expecting to see some passwords being cracked in the leak as;

[email protected]
[email protected] (or [email protected]. etc)
Password1 (or 2 or 3 etc...)
yahoo123 (or other triple-digit)
and so forth..

The other risk we are expecting to see realized is that people who shared their passwords amongst a few sites will still be using them there, allowing attackers to "script" scanners to try their credentials on other popular sites. 
Additionally, since the YAHOO! account was probably used for email, the entire account and probably the same password could have been used by many  to register on other sites. 

The result for YAHOO! ? I think Per Thorsheim puts it well in this excerpt from CNN Money:

"This is massive," said cybersecurity expert Per Thorsheim on the scale of the hack. "It will cause ripples online for years to come."

Our view?

"Please assume the brace position!"

-Article by Dimitri Fousekis, Bitcrack Cyber Security  t: @rurapenthe0