Biz & IT —

Why LivingSocial’s 50-million password breach is graver than you may think

No, cryptographically scrambled passwords are not hard to decode.

Dan Goodin - Apr 27, 2013 7:00 pm UTC

Why LivingSocial’s 50-million password breach is graver than you may think — Rossographer

Update: A few hours after this article was published, the LivingSocial FAQ was updated to say the company was switching its hashing algorithm to bcrypt. This is a fantastic move by LivingSocial that adds a significant improvement for its users. Bravo!

LivingSocial.com, a site that offers daily coupons on restaurants, spas, and other services, has suffered a security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users. If you're one of them, you should make sure this breach doesn't affect other accounts.

In an e-mail sent Friday, CEO Tim O'Shaughnessy told customers the stolen passwords had been hashed and salted. That means passcodes were converted into one-way cryptographic representations that used random strings to cause each hash string to be unique, even if it corresponded to passwords chosen by other LivingSocial users. He went on to say "your Living Social password would be difficult to decode." This is a matter for vigorous debate, and it very possibly could give users a false sense of security.

As Ars explained before, advances in hardware and hacking techniques make it trivial to crack passwords that are presumed strong. LivingSocial engineers should be applauded for adding cryptographic salt, because the measure requires password cracking programs to guess the plaintext for each individual hash, rather than guessing passwords for millions of tens of millions of hashes all at once. But a far more important measure of protection, password cracking experts say, is the hashing algorithm used. SHA1, the algorithm used by LivingSocial, is an extremely poor choice for secure password storage. Like MD5 and even the newly adopted SHA3 algorithms, it's designed to operate quickly and with a minimal amount of computing resources. A far better choice would have been bcrypt, scrypt, or PBKDF2.

In another understatement, O'Shaughnessy added: "We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same of similar password(s)." It's unfortunate company officials weren't more insistent on this point. Based on everything we know about modern password cracking, it will be trivial for the attackers to crack a large percentage of the LivingSocial passwords. Since the breach also exposed customer names and e-mail addresses, attackers can then try those passwords on other accounts held by the victims and easily access those that match. (The Washington, DC-based LivingSocial, which is partly owned by Amazon, is requiring all account holders to change their passwords.)

In the week following last year's leak of six million password hashes belonging to LinkedIn users, security experts were able to crack more than 90 percent of them in just six days. If the LivingSocial hashes were properly salted, it may take crackers longer to guess the underlying plain-text. But aside from the time investment, salting in no way makes cracking more difficult. The take-away from all of this is that people who used their LivingSocial password to secure accounts on other sites should change those passcodes immediately, and this measure should under no means be considered optional. Passwords should be randomly generated by a password-manager, contain a minimum length of 11 characters, and include numbers, letters, and symbols. They should also be unique to each site.

With 50 million customers affected, the LivingSocial hack is one of the bigger password breaches on record. The 2011 hack of Sony's PlayStation network is still much bigger, with data for around 100 million accounts exposed. O'Shaughnessy said company officials are working with law enforcement agencies to investigate the crime.

Story updated to add detail that LivingSocial used SHA1 algorithm.

Promoted Comments

chanman819Smack-Fu Master, in training
jump to post

The problem is that password encryption or storage security measures should not be viewed as some kind of fortified bulwark that actively keeps out all but the most determined attackers.

A password breach should be viewed as a raging inferno in a building and any security measures in place are analogous to fire-resistant building materials and sprinklers in a warehouse full of flammable goods - they only buy time for the occupants to escape, they don't make it safe to remain inside the burning building.

72 posts | registered Oct 8, 2009
KitsuneKnightArs Scholae Palatinae
jump to post

FrisbeeFreek wrote:
baloroth wrote:
Murphant wrote:
Quote:
But aside from the time investment, salting in no way makes cracking more difficult."

In case of hashed password breaches, time (and the associated computing power/energy) is the only thing that ever matters.

Yeah, this is an odd thing for the article to say. The only difficulty surrounding cracking hashes *is* time, so if you increase the time investment, you do make cracking more difficult. Salting especially, since it prevents rainbow table attacks, and means each password has to be attacked individually. That in turn means only the easy-to-break (8-10 character and/or dictionary based) passwords are likely to be cracked at all. I doubt they'll invest the time to brute force every single password, although of course if your password is "12345" you're still screwed.

Maybe I'm missing something, but shouldn't the salt prevent easy cracking of "12345" because it's really "12345 + salt" = unique hash? Assuming LivingSocial properly implemented the salt, then dictionary attacks should be worthless (which, according to prior Ars articles, it the primary method for cracking), and bruteforce is hardly going to be worth it (as others pointed out, you can crack anything given enough time).

Dictionary attacks have nothing to do with salts. Dictionary attacks, as the name explicitly says, are attacks that leverage a dictionary (you know, of "words"?) to try to guess the passwords.

Salts prevent two things: They prevent using precomputed tables of hashes (such as rainbow tables) to attack a stolen set of hashes (which only get you so far), and they prevent attackers from hashing a guess once and comparing it against 50 million passwords (in this case, to crack all users with the password '12345' they'd have to hash '12345' 50 million times, instead of 1 time if you didn't salt!).

Hackers also don't do a real 'bruteforce' attack, at least for passwords beyond a certain (very short) length. Typically around 8 characters (+- 2 or so, depending on the algorithm). Instead, they use various sorts of attacks that they to guess your password (not just do an exhaustive search of all possible ones). They take a dictionary (which will include things like english words, phrases, previously-cracked passwords, names, etc), and test those. They'll also take each of those items in the dictionary, and mutate them based off various rules, such as '<lastname>[0-9][0-9][0-9][0-9]', because a lot of people use a password that's a last name and a year. Other rules are things like leet-speak versions of the passwords, and about a bajillion others. This is how they can crack so many, even ones they'd never be able to crack via a true brute force attack, even if the site was just using MD5.

787 posts | registered Dec 6, 2009
epixoipSmack-Fu Master, in training
jump to post

G1itch wrote:
So if the salt is 3 numerical digits then that means the password "12345" needs to be checked checked 1000 more times than it would be without the salt being present. I.E. do a hash on 12345000, 12345001, 12345002, 12345003...12345999, until you get a hash that matches the observed hash.

This can increase the time it takes to find a match, depending on the salting method (ie is your salt 3 numerical characters or is your salt 10 alpha-numerical characters). Also, is your salt really unique, how do you generate your salt? Is it at all predictable?

A short 5 character alpha-numerical salt will still only mean 36^5, or approx 60 million extra checks per password, which probably adds a couple of seconds of cracking time per password just using an i7 core processor, not even considering a multi-GPU setup.

No, this is not correct. You're stating that the entire salt keyspace needs to be searched for each plaintext candidate, and this is not true at all. If I use a 64-bit salt but only have 10 hashes with 10 unique salts, I don't need to check 2^64 salts for each plaintext candidate -- I only need to check 10 salts.

So the only thing that matters is the number of unique salts. And the size of the salt is inconsequential; the purpose of large salts is to ensure a unique salt per user. The size of the salt does not otherwise add any complexity to cracking the hashes. And it does not matter if the salt is predictable since it is a known value.

G1itch wrote:
The other thing is, how/where is the salt stored. Is it stored in the same place as the hashes are stored? Every time the user logs in the salt needs to be retrieved by the system, and it is probably stored with the same level of security as the hashed password, so who is to say that the person who stole the hashed passwords did not also steal the salts. Typically if you have access to the hashed passwords you will also have access to the salts.

You always have access to the salts. The salts are not secret. You can have a secret salt, but we call this a shared secret, not a salt, and they are worse than salts because once you know the shared secret, you can crack all of the hashes as if there was no salt or shared secret.

81 posts | registered Aug 21, 2012
lXilElWise, Aged Ars Veteran
jump to post

There are three key components when it comes to password security.

1. Your own password.
2. The password protection methods a company uses.
3. The companies anti social engineering guidelines.

If any one of those fail it's possible you may loose a lot of personal information.

Your own password is the first line that is why it's very important to use long passwords with special characters. "Not leet speak"

The companies protection methods should be strong in this day and age waiting to loose 50 million passwords before you upgrade is not how you do it. In this case you should refer back to one and ask yourself is my password good? If it's |/|1KeL0vesS3x you're probably in trouble "if a database is stolen it's vital that you change EVERY PASSWORD THAT IS REMOTELY CLOSE" no ifs, ands, or buts about it!

If they get access to one of your accounts and it happens to be your recovery account for everything you're fucked.

The companies anti social engineering guidelines is extremely important. What good is a password if you can just call up and pretend to be such and such and reset it to your hearts desire? People are stupid and gullible when it comes to social engineering which makes it very dangerous to you if they have enough privileges to reset your account password or even get into your account.

A password should be protected to the max at all three levels because even a password with a million characters can be completely worthless against social engineering.

191 posts | registered Mar 3, 2012
Azethoth666Wise, Aged Ars Veteran
jump to post

Otus wrote:
Is there a reason not to use both a shared secret and a salt? If you kept the shared secret secret enough some of these breaches would result in no stolen passwords. For example, the shared secret could be kept in RAM only and loaded by the program from another server.

Imagine a Google news release:

Due to a freak electrical storm we lost our shared secret in RAM server. All your Google data is lost. Please start from scratch. Hopefully this will not happen again.

PS: Our bad, we are sorry.

Long story short, anything is possible, but you can not add irreversible failure modes to your business critical applications either. At a Google scale, you cannot even add a 30 minute trip for an engineer to drive in and type the secret back into RAM.

117 posts | registered Jan 20, 2011
epixoipSmack-Fu Master, in training
jump to post

abhi_beckert wrote:
Salted sha1 is perfectly fine if you have a strong password.

Sure, they can crack 90 percent of passwords in a few days, but those are weak passwords and it will take significant resources to crack each individual password in the remaining 10 percent.

Not quite, friend. When you read about a leak being 90% cracked, you have to realize there's only a handful of really talented individuals in the whole world who are able to achieve that kind of recovery rate.

Generally speaking, only about 40-50% of the passwords recovered in large leaks like this can really be considered weak, and quite a few of those are only weak because they're passwords we've already cracked after being compromised on other sites.

The next 20-30% of passwords that we recover range from decent to really quite good. The remaining 10% that we sometimes recover are very strong passwords, and we only find them after running really clever (or hail mary) attacks for days on end. The remaining 10-15% that we fail to crack are likely those that use long, sufficiently-random passwords, or are simply more clever than us.

It definitely depends on the specific leak we're talking about, but generally speaking, your average security expert / penetration tester / casual password cracker is probably only going to be able to recover at most 50-60% of passwords in any given leak; seasoned password crackers will likely recover 70-75%; and truly exceptional password crackers will recover 80% or more.

I don't think you understand what it takes to get to 90%.

abhi_beckert wrote:
The editor suggested using PBKDF2 as a strong alternative to SHA1... PBKDF2 is usually (doesn't have to be) built around SHA1 and all it does is increase the CPU time by a few hundred or few thousand times.

Man, where to start with this one...

Just because PBKDF2 can use HMAC-SHA1 doesn't mean it's somehow essentially the same thing as using SHA1. Not by a long shot.

PBKDF2 is a strong alternative to SHA1, even if you do use PBKDF2-HMAC-SHA1, for precisely the reason you state: it allows you to tune how much work is performed for each hash. "A few thousand times" is a pretty big slow-down, especially with more and more people using 10,000 iterations or more. With a 10,000x slowdown per unique salt we're not going to recover anywhere near 40%, let alone 90%.

abhi_beckert wrote:
You can achieve the same result with any website that doesn't use PBKDF2 simply by tacking two extra characters on the end of your password. A 6 character password with PBKDF2 is much easier to crack than an 8 character password with just SHA1.

Wrong again.

I'm going to assume that you're talking about brute force and random passwords, because if you're talking about human-generated passwords that certainly not true by any means.

So let's look at how much time it would take to brute force a random 6 character password with PBKDF2-HMAC-SHA1 vs a random 8 character password with raw SHA1.

A Radeon 7970 can pull about 3,375,000,000 hashes per second with raw SHA1, and about 140,000 hashes per second with PBKDF2-HMAC-SHA1 with 10k iterations.

6 char password with PBKDF2-HMAC-SHA1 = 95^6 / 140,000 =~ 61 days.
8 char password with raw SHA1 = 95^8 / 3,375,000,000 =~ 23 days.

And again that's talking about random passwords. If we were talking about human generated passwords then adding two characters to your password certainly wouldn't help a bit with raw SHA1. The number of iterations is what kills us. It forces us to do simple yet highly targeted attacks just to get even the weakest passwords.

93 posts | registered Aug 21, 2012

Promoted Comments

chanman819Smack-Fu Master, in training
jump to post

The problem is that password encryption or storage security measures should not be viewed as some kind of fortified bulwark that actively keeps out all but the most determined attackers.

A password breach should be viewed as a raging inferno in a building and any security measures in place are analogous to fire-resistant building materials and sprinklers in a warehouse full of flammable goods - they only buy time for the occupants to escape, they don't make it safe to remain inside the burning building.

72 posts | registered Oct 8, 2009
KitsuneKnightArs Scholae Palatinae
jump to post

FrisbeeFreek wrote:
baloroth wrote:
Murphant wrote:
Quote:
But aside from the time investment, salting in no way makes cracking more difficult."

In case of hashed password breaches, time (and the associated computing power/energy) is the only thing that ever matters.

Yeah, this is an odd thing for the article to say. The only difficulty surrounding cracking hashes *is* time, so if you increase the time investment, you do make cracking more difficult. Salting especially, since it prevents rainbow table attacks, and means each password has to be attacked individually. That in turn means only the easy-to-break (8-10 character and/or dictionary based) passwords are likely to be cracked at all. I doubt they'll invest the time to brute force every single password, although of course if your password is "12345" you're still screwed.

Maybe I'm missing something, but shouldn't the salt prevent easy cracking of "12345" because it's really "12345 + salt" = unique hash? Assuming LivingSocial properly implemented the salt, then dictionary attacks should be worthless (which, according to prior Ars articles, it the primary method for cracking), and bruteforce is hardly going to be worth it (as others pointed out, you can crack anything given enough time).

Dictionary attacks have nothing to do with salts. Dictionary attacks, as the name explicitly says, are attacks that leverage a dictionary (you know, of "words"?) to try to guess the passwords.

Salts prevent two things: They prevent using precomputed tables of hashes (such as rainbow tables) to attack a stolen set of hashes (which only get you so far), and they prevent attackers from hashing a guess once and comparing it against 50 million passwords (in this case, to crack all users with the password '12345' they'd have to hash '12345' 50 million times, instead of 1 time if you didn't salt!).

Hackers also don't do a real 'bruteforce' attack, at least for passwords beyond a certain (very short) length. Typically around 8 characters (+- 2 or so, depending on the algorithm). Instead, they use various sorts of attacks that they to guess your password (not just do an exhaustive search of all possible ones). They take a dictionary (which will include things like english words, phrases, previously-cracked passwords, names, etc), and test those. They'll also take each of those items in the dictionary, and mutate them based off various rules, such as '<lastname>[0-9][0-9][0-9][0-9]', because a lot of people use a password that's a last name and a year. Other rules are things like leet-speak versions of the passwords, and about a bajillion others. This is how they can crack so many, even ones they'd never be able to crack via a true brute force attack, even if the site was just using MD5.

787 posts | registered Dec 6, 2009
epixoipSmack-Fu Master, in training
jump to post

G1itch wrote:
So if the salt is 3 numerical digits then that means the password "12345" needs to be checked checked 1000 more times than it would be without the salt being present. I.E. do a hash on 12345000, 12345001, 12345002, 12345003...12345999, until you get a hash that matches the observed hash.

This can increase the time it takes to find a match, depending on the salting method (ie is your salt 3 numerical characters or is your salt 10 alpha-numerical characters). Also, is your salt really unique, how do you generate your salt? Is it at all predictable?

A short 5 character alpha-numerical salt will still only mean 36^5, or approx 60 million extra checks per password, which probably adds a couple of seconds of cracking time per password just using an i7 core processor, not even considering a multi-GPU setup.

No, this is not correct. You're stating that the entire salt keyspace needs to be searched for each plaintext candidate, and this is not true at all. If I use a 64-bit salt but only have 10 hashes with 10 unique salts, I don't need to check 2^64 salts for each plaintext candidate -- I only need to check 10 salts.

So the only thing that matters is the number of unique salts. And the size of the salt is inconsequential; the purpose of large salts is to ensure a unique salt per user. The size of the salt does not otherwise add any complexity to cracking the hashes. And it does not matter if the salt is predictable since it is a known value.

G1itch wrote:
The other thing is, how/where is the salt stored. Is it stored in the same place as the hashes are stored? Every time the user logs in the salt needs to be retrieved by the system, and it is probably stored with the same level of security as the hashed password, so who is to say that the person who stole the hashed passwords did not also steal the salts. Typically if you have access to the hashed passwords you will also have access to the salts.

You always have access to the salts. The salts are not secret. You can have a secret salt, but we call this a shared secret, not a salt, and they are worse than salts because once you know the shared secret, you can crack all of the hashes as if there was no salt or shared secret.

81 posts | registered Aug 21, 2012
lXilElWise, Aged Ars Veteran
jump to post

There are three key components when it comes to password security.

1. Your own password.
2. The password protection methods a company uses.
3. The companies anti social engineering guidelines.

If any one of those fail it's possible you may loose a lot of personal information.

Your own password is the first line that is why it's very important to use long passwords with special characters. "Not leet speak"

The companies protection methods should be strong in this day and age waiting to loose 50 million passwords before you upgrade is not how you do it. In this case you should refer back to one and ask yourself is my password good? If it's |/|1KeL0vesS3x you're probably in trouble "if a database is stolen it's vital that you change EVERY PASSWORD THAT IS REMOTELY CLOSE" no ifs, ands, or buts about it!

If they get access to one of your accounts and it happens to be your recovery account for everything you're fucked.

The companies anti social engineering guidelines is extremely important. What good is a password if you can just call up and pretend to be such and such and reset it to your hearts desire? People are stupid and gullible when it comes to social engineering which makes it very dangerous to you if they have enough privileges to reset your account password or even get into your account.

A password should be protected to the max at all three levels because even a password with a million characters can be completely worthless against social engineering.

191 posts | registered Mar 3, 2012
Azethoth666Wise, Aged Ars Veteran
jump to post

Otus wrote:
Is there a reason not to use both a shared secret and a salt? If you kept the shared secret secret enough some of these breaches would result in no stolen passwords. For example, the shared secret could be kept in RAM only and loaded by the program from another server.

Imagine a Google news release:

Due to a freak electrical storm we lost our shared secret in RAM server. All your Google data is lost. Please start from scratch. Hopefully this will not happen again.

PS: Our bad, we are sorry.

Long story short, anything is possible, but you can not add irreversible failure modes to your business critical applications either. At a Google scale, you cannot even add a 30 minute trip for an engineer to drive in and type the secret back into RAM.

117 posts | registered Jan 20, 2011
epixoipSmack-Fu Master, in training
jump to post

abhi_beckert wrote:
Salted sha1 is perfectly fine if you have a strong password.

Sure, they can crack 90 percent of passwords in a few days, but those are weak passwords and it will take significant resources to crack each individual password in the remaining 10 percent.

Not quite, friend. When you read about a leak being 90% cracked, you have to realize there's only a handful of really talented individuals in the whole world who are able to achieve that kind of recovery rate.

Generally speaking, only about 40-50% of the passwords recovered in large leaks like this can really be considered weak, and quite a few of those are only weak because they're passwords we've already cracked after being compromised on other sites.

The next 20-30% of passwords that we recover range from decent to really quite good. The remaining 10% that we sometimes recover are very strong passwords, and we only find them after running really clever (or hail mary) attacks for days on end. The remaining 10-15% that we fail to crack are likely those that use long, sufficiently-random passwords, or are simply more clever than us.

It definitely depends on the specific leak we're talking about, but generally speaking, your average security expert / penetration tester / casual password cracker is probably only going to be able to recover at most 50-60% of passwords in any given leak; seasoned password crackers will likely recover 70-75%; and truly exceptional password crackers will recover 80% or more.

I don't think you understand what it takes to get to 90%.

abhi_beckert wrote:
The editor suggested using PBKDF2 as a strong alternative to SHA1... PBKDF2 is usually (doesn't have to be) built around SHA1 and all it does is increase the CPU time by a few hundred or few thousand times.

Man, where to start with this one...

Just because PBKDF2 can use HMAC-SHA1 doesn't mean it's somehow essentially the same thing as using SHA1. Not by a long shot.

PBKDF2 is a strong alternative to SHA1, even if you do use PBKDF2-HMAC-SHA1, for precisely the reason you state: it allows you to tune how much work is performed for each hash. "A few thousand times" is a pretty big slow-down, especially with more and more people using 10,000 iterations or more. With a 10,000x slowdown per unique salt we're not going to recover anywhere near 40%, let alone 90%.

abhi_beckert wrote:
You can achieve the same result with any website that doesn't use PBKDF2 simply by tacking two extra characters on the end of your password. A 6 character password with PBKDF2 is much easier to crack than an 8 character password with just SHA1.

Wrong again.

I'm going to assume that you're talking about brute force and random passwords, because if you're talking about human-generated passwords that certainly not true by any means.

So let's look at how much time it would take to brute force a random 6 character password with PBKDF2-HMAC-SHA1 vs a random 8 character password with raw SHA1.

A Radeon 7970 can pull about 3,375,000,000 hashes per second with raw SHA1, and about 140,000 hashes per second with PBKDF2-HMAC-SHA1 with 10k iterations.

6 char password with PBKDF2-HMAC-SHA1 = 95^6 / 140,000 =~ 61 days.
8 char password with raw SHA1 = 95^8 / 3,375,000,000 =~ 23 days.

And again that's talking about random passwords. If we were talking about human generated passwords then adding two characters to your password certainly wouldn't help a bit with raw SHA1. The number of iterations is what kills us. It forces us to do simple yet highly targeted attacks just to get even the weakest passwords.

93 posts | registered Aug 21, 2012

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica