Jackpotting Parking Meters: A Series

I usually spend quite a bit of time talking about security problems I’ve identified, and a little less time talking about solutions to those problems. I don’t often talk about quantifying risk or products that I’ve identified as being particularly secure. Today, this changes.

Duncan Miller Parking Meter
Duncan Miller Parking Meter

I walked into a local antique shop hoping to find some old locks laying around that I can use for picking / gutting practice. As I walked into the shop, the friendly lady at the counter tells me that anything sports related is 20% off, as well as anything made of metal (except coins).

Well that works perfect for somebody like me, looking for locks. I ended up leaving with this parking meter that she posits is from Lake Geneva, WI before they upgraded to their far superior multi-spot parking system. I asked if she had keys, she did not but assured me that they are a common key.

Well — I didn’t Google it, assuming that either she was right or I’d just pick my way in. I got it out to my vehicle and shoved a tension wrench and a pick in the front and immediately had my soul crushed — this is a slider keyway which I can’t pick and even LockPickingLawyer has struggled with in the past. So I turn to E-Bay, which has replacement keys and cylinders, but they’re ~$50-75 each. Even still, I’m stuck with a unit I probably can’t open before my “disinterest cutoff.”

So, the first thing I do is call a local locksmith and ask them if he can decode and cut slider keys. He said he can, but to save time, send him a photo of the keyway.

Restricted Slider Keyway
Restricted Slider Keyway

I seen the word “Restricted” on there, but I’m like “words man”

He replies that it is restricted, and he can’t cut the key. So, I hopped on Google to learn exactly what that means. Turns out the key blanks are restricted (meaning he would need to have the blanks, the authority to cut them, and the software to tell him the bitting). Since I found it unlikely that I would find those services for a good price, I decided to start looking for bypasses.

Bypass #1 — Roll Pin

Roll Pin Hinge
Roll Pin Hinge

The first thing I notice is this roll pin acting as a hinge at the top of the meter box. This would be way too easy!

I was right — it would be too easy. I did some research and it turns out that the roll pin is retained with a set screw, meaning it won’t slide out without destroying the meter:

Set Screw on Hinge
Set Screw on Hinge

So that bypass will not work.

Bypass #2 — Access to the hex nut

In the real world, meters are attached to a pole and this approach would absolutely not work since this access point would be blocked by it. But, mine has been removed, so maybe I can remove the nut that retains the lock:

Hex Nut Under Cover
Hex Nut Under Cover

This nut was so loose I could almost knock it off with a firm stream of water. But I back it off with a screw driver until…

It stopped moving. The distance between the cover and the tailpiece would not allow enough distance for me to get the nut completely off. So, Bypass two was out.

Bypass #3 — Hacking

I’m not proud of what comes next.

Since I was able to back the nut off enough, I was able to expose the face of the lock by almost 1/4″.

At this point, I thought I could potentially file the threads down and then slide the filed down area into the cover, allowing me to rotate the entire lock. I couldn’t find my file, it was midnight, and I needed success:

Using Hacking Tools

At this point, I had to use a hacksaw to get through this. Even with that old, coarse-toothed saw, I was able to get through the lock with just a few moments of work. I’m not proud at all that this was my solution, but I wanted to get in and learn more. Sadly, there are two locks on this unit — and this one just opens up the cash cup. The other lock opens up the mechanism. I’ll have to figure that one out some other time.

If you liked watching Dexter, this is like a locksmith’s blood spatter pattern. These parts are a testament to my lack of picking skills. The $1.75 next to it? That was still inside the meter. Guess I got a discount 🙂

Balancing Risk: A Security Practitioner’s Prerogative

Security isn’t about making things impenetrable, it is about making it secure enough that the value spent getting around it exceeds the potential value gained. That’s why you don’t have gun turrets outside your house, but the military does.

In my professional opinion — this device demonstrates the output of a successful risk analysis and defensive design.

This is how I know:

Meter & Money
Meter & Money

The small can you see near the top of the quarters is the cup that retains the coins that you put into the meter. I happen to have had $75 in quarters in those blue bags and a few rolls, so I decided I would see what your potential earnings would be for breaching one parking meter.

50 Dollars in Quarters
50 Dollars in Quarters

Above is $50 in quarters. Not quite there. It turns out that to fill this can up, it would take:

Exactly $75. Meaning that if you were to breach a meter, ignoring the obvious legal fees, you would only walk away with $75.

But wait, there’s more!

So, in this meter, one quarter represents 30-minutes of time. There are 300 quarters in $75, so therefore ((300×30)/60)/24 = 6.25 days of continuous 24-hour parking. This also means that the meters were never emptied in that period. If the city comes by and empties the meter, that value gets reset. To maximize your profit, you’d have to track the meter maid, and be one meter in front of them with a hack saw and spend at least 20 mins in broad daylight trying to breach the thing. Once you breach one, they will notice and you won’t be able to do it again in this area.

With this said, yes you can jackpot a parking meter. But it isn’t like Grand Theft Auto, where you run it over and pick up money. In this case, the risk far outweighs even the fully potential maximum return. Therefore, as of this blog, I consider these a secure device.

I will continue exploring the security of these devices when I can get the mechanism open. So this may change.

Thanks for reading.

Lockboxes and Key Space Exhaustion

On a rare occasion, I’ll have a chance to check out a thrift shop or antique store and see what sorts of locks or security equipment they have for sale. I’ve wanted to check out those realtor lockboxes for some time, but didn’t want to spring $25 for minimal entertainment value.

Today, I stopped in a Goodwill and seen a Kiddie KeySafe unit for sale for $4.99. I decided that price point is exactly what I’d pay for an otherwise useless toy. The first thing I did was open the manual it came with:

Kiddie KeySafe
Kiddie KeySafe

The instructions state right away that “KeySafe is a convenience product, not a security product.”

Boy they couldn’t be more correct.

What is “Key Space”?

In cryptography, key space expresses how many permutations are available within the boundaries of a key. To put it plainly, if you can only have a PIN number that is four digits, then you can choose anything between 0000 and 9999. This gives you 10,000 possible permutations (or a key space of 10,000).

What is “Key Space Exhaustion”?

When you don’t know a password or PIN number, you’ll generally start guessing numbers. You may start with “0000”, then “0001” and keep going. Banks will see this sort of activity and freeze down an account, but lock boxes are not like that. You can try every single number until it opens. Key Space Exhaustion is when you go through, iteratively, each permutation until you get an “unlock” state.

What do Lock Boxes have to do with this?

I gave myself a rather relaxed time trial and found that I can enter a code (whether wrong or right) on average in around 5.25 seconds for a 5-digit code. Most people would assume that is probably pretty good, after all a lock that takes a 5-digit code has 100,000 permutations, right? That would mean I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked. I’d argue that’s reasonably secure.

I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked.

Except one little funny thing: Lockboxes do not have permutations that spread across the entire spectrum of possibilities. Some lockboxes have limiting factors, such as:

  • Numbers can only be entered once, so 1-2-3-4-5 is a valid code, but 1-1-2-3-4 would not work.
  • Number Ordering is Irrelevant, so 1-2-3-4-5 is equivalent to 5-4-3-2-1, which greatly brings down the key space.

Identifying Lock boxes with this Fault

You can identify the first issue (entering each number once) by pressing it and listening for a click. If it only clicks once, it probably only accepts the combination once. For the second issue — I do not know a way currently without actually testing it, but it is probably safe to assume most are designed this way.

As for my lock… This lock can accept either 5, 6 or 7 digit combinations. For sake of clarity, I am operating under the pretense that folks are going to use 5-digit codes (Pro-tip: It is probably the address of the building).

With those constraints in mind, how much does that reduce the Key Space?

Key LengthFull Key SpaceActual Key SpacePermutations
4-Digit10,000210List
5-Digit100,000252List
6-Digit1,000,000210List
7-Digit10,000,000120List

Yikes! That deescalated quickly.

As I mentioned before, I did a time trial. I set my lockbox to 01279. As you can see in my permutation lists on GitHub, that is the 20th 5-digit code available. It took 1:45 for me to “breach” the lock by going code to code, trying and clearing each one. So, remember when I said it would take 6 days to breach that 5-digit lock? Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes. That’s insanity. 22 minutes infers that I will hit your code last.

Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes.

This is a complete design fault and is something manufacturers should look to improve upon. The actual time it would take to breach this lock can vary, as I would have to try the 5, 6 and 7 digit lists. With that said, there are ways to make the breach more rapid for these variable-length locks. Stay tuned.

Rekeying a Kwikset Deadbolt

I’ve been largely an information security-heavy person, I’ve decided that I need to start getting “physical” with physical security. I’ve bought a bunch of padlocks, picks, pins, tension wrenches, keys and the like. I’d love to show you how to lockpick, but I’m a novice at best and there are much better videos out there.

Today, I’m going to show you how to use a handy re-pinning kit on a Kwikset Deadbolt (I’ll do a door handle later on)

Before we start

  • I am not affiliated nor compensated by Kwikset, or from the Change-A-Lock folks
  • I actually did a Schlage kit first, but I wanted to have Kwikset tools as well.
  • I bought the locks and kit for this blog, yes you shouldn’t post pictures of keys — I’m okay with a blog being public :). The door knob and deadbolt kit was $21.99, the key change kit was $7.99 at Menards (A Midwest version of Home Depot).
  • I was distracted and blew my lock up (driver pins and springs everywhere). Imagine my surprise, however when I seen two spool pins — IN A CHEAP LOCK! Thanks Kwikset!
  • If your lock is a Kwikset SmartKey product (the keyhole has a small slit next to it) — there are much easier ways to rekey your lock. Don’t follow this advice.
  • You will need one of the following to rekey, even if it is unlocked:
    • Mad lockpicking skillz
    • A working key for the lock

Reasons to Rekey

Rekeying makes all old copies of your key useless. If you have friends, family, or neighbors you once were crazy enough to give a key to — you are a candidate. If you are a landlord and want to save the expense of locks on your building, or if you are moving into a new residence — these kits are about $1.25 per cylinder (most houses have a locking doorknob and a single-cylinder deadbolt. — so about $2.50/door. This is much cheaper than the $21.99 I spent on the lockset used in this blog.

Enough about me!

KwikSet Door Knob and Change-A-Lock Kit
KwikSet Door Knob and Change-A-Lock Kit

I will do a rekey right out of the package — you will need to remove the knob from your house to get started. If you can’t fire up a screwdriver and knock out two screws, you’ll need to call an ambulance because you might need help.

The Change-A-Lock Kit

Change-A-Lock Kit
Change-A-Lock Kit

The Change-A-Lock kit comes with colored/coded pins, a plug follower, a clip remover, new keys, instructions, and sometimes a few other tools (a spring tool or an allen wrench, for example). You can get away without these tools (using pliers and a socket, for example) but for the price the kit is totally worth it. You can also buy large pin assortments from Amazon or E-Bay, but then you’ll need to visit a locksmith to get a key cut. Your typical hardware store can only -duplicate- keys, not originate them from a code. So there’s that too.

I had a key cut by a locksmith yesterday from code for a later project — He charged a $6.00 code fee and then $2.80 for each key blank I wanted. With tax, out the door was $9.02 for one key. So you’re looking at ~$11.50 for a set.

Removing the cylinder

Rim Deadbolt in escutcheon plate
Rim Deadbolt in escutcheon plate

Slam a bottle of bourbon and then say “escutcheon plate” five times fast.

This picture shows a typical Kwikset cylinder without “SmartKey”, no little notch next to the keyway. What we will do is remove the escutcheon plate by sliding it down the tailpiece:

Escutcheon aside cylinder
Escutcheon aside cylinder

Next, breathe in a lot of air, because you will probably say a few dirty words in this step. Use the E-Clip remover to remove the clip and tailpiece:

Removing E-Clip
Removing E-Clip

The E-Clip is the dark (black oxide) metal ring around the base of the tailpiece. Hold the cylinder and press the indentation around the lock to push off both sides of the e-clip. Now, set the tailpiece, removal tool, and e-clip to the side:

Insert key, turned 45 degrees to the right

Next, insert your original key and turn the lock 45 degrees to the right (if you go left here, you may lock the cylinder down by dropping the driver pins into construction holes. Don’t do that.

At this point, be VERY CAREFUL. If you pick it up by the key, you will extract the cylinder and the driver pins and springs will go everywhere and take you about 42 minutes to find (some idiot I know did this by accident. It was me).

Without pulling the key or cylinder out, use the plug follower to push the back of the cylinder out of the bible (the bible being the remainder of the lock).

Plug Follower
Plug Follower

You’ll see the cylinder come out of the bible, and you won’t have springs and driver pins go everywhere.

The five brass pieces you’re seeing here — those are your original key pins. Keep them if you ever want to rekey to the original.

Original Key Pins
Original Key Pins

If you insert your original key and push back down on the brass key pins, you’ll see they all sit level. This is how a lock checks your key.

Repinning the Lock

Repinning a Cylinder
Repinning a Cylinder

The above picture shows the pin order from the instructions (with the key code visible on the head of the key). Remember — the pin at the tip of the key as at the rear of the cylinder — being pin #5.

The top key and colored pins are from the replacement kit. The bottom are the original. The color has no use except to make identification easy for you.

Insert the pins into the cylinder, and then insert your key to make sure they sit level:

New key pins

If you find that your pins are NOT LEVEL — being over or under this shear line, make sure you’re using the -new- key. If they are still not level, dump them out and try again. You may have reversed the order. You also want to make sure the pointed end goes -into- the hole first. That is the part that contacts the key. If they are level — great, lets go ahead and push out your plug follower with the new cylinder.

Make sure you hold your cylinder like you did before — 45 degrees to the right of the top of the cylinder, and then push out the plug follower with the cylinder:

Reinsert Cylinder
Reinsert Cylinder

At this point, you may re-attach the e-clip (remember the tail piece). Then, move your key so the teeth point up (0 degrees) and remove the key — it is now locked!

You have rekeyed a lock!

Once you do this a few times, you will be able to knock these out under five minutes a lock.

If you want to blog about keys — feel free to, but my new project https://keyoftheweek.com highlights why you should be very careful posting pictures of keys online.

Cheap Lockpicking Tools

Lockpicking, or Locksport isn’t the most expensive habit to start up. Often times, you have locks laying around (old computers have them, so do old file cabinets, etc). If you’re willing to put in a little elbow grease, you can avoid the expensive tools. Buy a few of the common picks, and tension wrenches, and then use fine sandpaper and polish to make them as smooth as you can. Makes a huge difference when it comes to feeling the lock internals.

Where is the cheapest place to get tools?

AutoZone Storefront
AutoZone Store front

AutoZone? Yes… Or any other auto parts store. You see, most of the ones that have modernized now install some components for free. Bulbs, batteries, as well as windshield wipers.

But those have nothing to do with lock picks!

You haven’t looked into the image close enough. If you had, you’d see this:

I said cheap, when I really meant to say “Free”

Winter Wiper Blade in AutoZone Garbage Can

Now — if you’re as unlucky as I was, you’ll find one of these winter wiper blades. These have a large blade of steel inside. If you’re lucky, the rubber will not be glued to it and you’ll be able to use it. In this case, rubber was glued to it, so I simply discarded it.

Mix of Winter and Summer Wiper Blades

I totally lucked out though, I found some normal summer blades (if you’re in the South, this is all you’ll have). These usually have two inserts (Which is why folks like LockPickingLawyer call them “Wiper Inserts”).

Wiper Inserts Extracted

It really helps to carry a Leatherman or similar… The ends are barbs, so you’ll want to ease them out of the metal carrier frame, then tear the rubber wiper off the metal backing. At that point -carefully- remove the two metal inserts. This is spring steel, and is quite rigid.

Here is the inside of a Winter blade — not all are like this, but the ones that are, toss ’em.

Make sure to do the right thing and toss the wipers back in the can. Sometimes you’ll find wipers in the grass from other folks who were too lazy to toss ’em out. These can be harvested too.

Here’s the take from two summer blades, and two winter blades

The four silver strips on the bottom are the summer blade inserts, the 2nd from the top is a winter insert (that would work pretty well for picks and rakes), and finally, the glued-on wiper blade on the top. That one is trash unless you’re really hard up.

Useless Tension Wrench

With a small section of a summer blade, I made a tension wrench. I doubled it up which resulted in ~0.068″ thickness on the insert portion. Needless to say, this isn’t fitting in many locks so was really a waste. The summer blades I grabbed were 0.110″ by 0.030″, but YMMV.

Others will want to make actual picks and rakes out of this. I already have a pick set, so that would have been useless for me. If you decide you do, you can get nice scalable vectors from GitHub (https://github.com/redditlockpicks/designs).

If you’re getting into locksport — check out my new project: https://keyoftheweek.com — Each week there will be a challenge where you use images of keys to figure out the type of key, and then decode the bitting order for points. Meaningless internet points, but points nonetheless.

Low Skilled Access to Locked Firearms

Security doesn’t stop on computers. I wanted to take a common firearm lock and demonstrate a low skill attack on breaching the wafer core on the device.

In my experience, this lock is equally as easy to SPP (single pin pick) as it is to rake open, but to truly highlight how easy it is… I went for raking.

Raking is a technique where you take a picking tool that looks like a snake, and you insert it into a lock while applying tension. You can then draw the rake along the pins/wafers until all of them are set on a shear line. Raking is a quick and effective way to breach low security locks… As you’ll see.

I’m a bit of a mouth breather, so I covered it up using a song YouTube recommended. With that said, it’s a bit loud. Sorry:

I read 500 SSL Certificates so You Don’t Need To


First things first: There is no such thing as a SSL certificate. There’s digital certificate key pairs, and then there’s the protocols: SSL and TLS namely. But I’m mentally unable to break the habit of calling them “SSL Certs”, so it made it into the title.

The goal was to grab the Alexa Top 500, and do a quick scan of their certs — length, time until expiration, issuers and so on. My goal failed when I realized Alexa will give you the top 50, and wants simoleons to do so. This made my decision to use the Moz Top 500 an obvious fix — with a smooth CSV export to boot!

There’s some duplication across the top 500 (list-manage.com and list-manage1.com, google.com and goo.gl). There’s also differing services from the same vendor (YouTube and Google, Microsoft and Bing). I made no effort of deduplicating either of these metrics, my feelings being that they still reflect a large part of the internet and therefore have the same impacts.

So I set off on building a script to browse to the Top 500, and throw it into a database. It worked pretty well for most of them — 76 didn’t make the cut. I then turned off peer name verification and got that down to 60. Turning off certificate verification dropped that down to 50.

Most Popular Issuers

Top Certificate Issuers in the Moz Top 500

Of the 450 domains I was able to pull a certificate for quickly and programmatically, I found that DigiCert Inc. was -by far- the most popular issuer of certificates. Any sites that had unique certs (e.g. it was the only site that used that vendor) were ignored to keep this list easy to read.

Again, there’s duplication here — GoDaddy.com and Starfield Technologies are the same issuer, just different names.

I was really happy to see my personal favorite — Let’s Encrypt — made the list. I have no affiliation with them other than using their free certificates for my websites (including this one). The only reasons I can see for companies to continue to consume paid certificates are:

  • They don’t realize Let’s Encrypt offers free certificates for both standard and wildcard certificates
  • They don’t want to deal with 90-day certificate expiration, and don’t have the ability to rollout certbot or the equivalent
  • They are still within the validity period of their current cert, riding that out until expiration.

Average Validity Length (Days)

Moz Top 500’s list of certificate providers, ordered by average validity length in days

Charts, graphs, pies… Only one of those is fun in a meeting. Since we’re all out of pie, I decided to add a nifty drop shadow to this one. I’m sure you appreciate the beauty.

In the graph, you can see on the left we have Thawte Inc. comes in at 1,106 days average validity for their certificates. That seems like an awful long time for a certificate to be valid, and I was curious who was using those:

https://npr.org/
https://list-manage.com/
https://list-manage1.com/
https://bmj.com/
https://xiti.com/
https://blackberry.com/
https://iso.org/
https://unicef.org/

Well, good to know I guess… Nobody is going to most of those anyways. Obviously I’m listing domains here — not all that I’ve went to myself, so if you don’t like the content, then I probably wouldn’t either.

On the other hand, Google Trust Services certs are at 84 days, and as most people know, Let’s Encrypt’s are at 90.

What can we learn from all of this? Maybe not much. Presumably, these are all industry-leading domains, so their choice of vendors and lengths may highlight some interesting information.

Stop Using Security Questions

Please stop using security questions.

Why security questions were designed with good intentions

If you forget your password, a site can ask you a series of security questions. This allows you to recover your account while still potentially authenticating you with questions only you know.

Account recovery options are always a great idea, but doing so with security questions is bad.

Insecurity Questions

Seriously — they introduce insecurity. In my experience, I’ve come across a form like this:

What is your favorite color?

Your security question must contain at least five characters!

What do you think the most popular colors are? Red? Blue? What about: teal, gray/grey, etc. A form I’ve came across actually had a 5-character minimum, which removed options from this answer and made guessing black/green/white/yellow a bit easier. My wife will tell you that everybody from the 90’s would say “Crayola Cerulean” is their favorite — I’m inclined to agree.

Facebook even has a feature where people can “know you better” where you can answer questions about yourself and paste it on your profile. Yikes!

Mother’s maiden names are easy to get from your social network (click you, click your mom, look at her friends names, or look at whom you call “aunt”, “uncle” etc).

Distributing Security Questions

I’ve once seen an admin that would screenshot a page that shown user’s security questions. This page existed to help admins verify users are who they say they are over the phone. In lieu of using it for this function, people were screen shotting this info and sending it to users who “forgot” them. Yikes.

I’m a site user — what should I do?

If a site insists you complete security questions, generate random text and throw that in the box. If you need to recover the account later, paste in that random text. While there, look for the company’s security@ e-mail, Twitter, etc. Tell them to fix it.

I’m a webmaster on the world wide web

Heh, old terms. Disable the requirement for security questions, remove account recovery until you can fix it. Replace it with CAPTCHAs and allow them to reset it via an e-mailed link. Make the link valid for <30 minutes, and with a bunch of entropy in the query string. Don’t store the expiration in the query string. If their e-mail is compromised, they indeed can steal this account. For this reason, it is imperative for users to have secure e-mail accounts. Also, wipe the security questions out of the database. If you’re compromised, those answers can quickly become public.

What if I follow the email reset and security questions?

You could. It’s better than no email reset.

 

A Quick Shout-out to Marriott Hotels

Peepholes — The Window you didn’t know you had


UPDATE: Marriott hotels has been breached, leaking ~500 million accounts, potentially with passport data. So you know, that’s a pretty big contradiction. to this post. Otherwise, I’ll leave the post intact.


Any hotel will have a peephole through the door, a small tube with a fisheye lens at the outset that allows you to see if there is a pizza delivery person or a murder in a clown suit outside your door.

If you walk up to these peepholes from the outside, and try to look in, it is very hard to see the room — with some fisheye lens correction, you can revert the image to a somewhat original state. Other risks, for example, are if somebody were to loosen it and install a camera into the hole. This isn’t as crazy as it seems.

Lastly, even if you use it the old fashioned way, an observer from outside can see if light is coming through it and becomes obstructed (from you looking through it). This can validate if you’re home, and that you’re on the other side of the door.

I have traveled often for both work and pleasure, and the only hotel chain I’ve seen that installs shutters on their peepholes is Marriott (and Fairfield Inn, owned by Marriott).

Just a shout out to them as a thanks for taking security to the next level.

Telltale Signs of Impending Password Breach

For most, password restrictions are an annoyance that prevents them from using easy to remember passwords, like “password” or “123456”. You can generally tell how a company handles your private information, and I’ll teach you a few tricks on determining which sites potentially store your password insecurely.

Smart Password Complexity Requirements

(none of these should be taken to indicate an insecure storage methodology)

  • Minimum character limits (for example, your password must contain at least 8 characters)
  • You must use numbers/uppercase/lowercase/symbols
  • You cannot use a dictionary word
  • You cannot use your name/username/email/other identifier in your password

Stupid Password Complexity Requirements

(it is probable that sites with these requirements are storing your password wrong)

  • Disallowing -any- symbol, be it dollar sign, comma, quotes/double quotes, hashes, less than/greater than, ampersand, and so on
  • Mentioning any upper limit to the length of your password (maximum 10 characters) *
  • Odd requirements, for example, requiring your password start or end with certain characters (letters, numbers) or prohibiting the ends of passwords from having specific characters.

*- There are functional limitations here, like the maximum POST size practical in a browser, yes, but if you can’t use a 100 character password, this is a problem.

What is a Password Hash?

There’s a separate blog post for that wee lil’ question:

What is a Password Hash?

In short, companies that care, use hashing for your passwords.

So you’re calling a company dumb, why?

Properly hashed data will return a relatively short hash from any sized input data — this is important to know, as it highlights exactly why having a maximum password length is a bad thing — it is a clear sign they’re storing your password in a really stupid way, or their devs are stupid. Either way, means bad security for you.

Now I love Southwest Airlines — a lot, I love flying with them I love their attendants, and none of their pilots have killed me. What else can you expect?

Well, I’d expect a certain level of hashing on my passwords:

Their reply wasn’t what I wanted. Basically reiterating the limitations of the form. It should be noted that this does not mean they’re vulnerable or are storing your passwords wrong, but it does make a pretty solid case that it’s possible.

Another company I used a very long time ago was TCF Bank. Now I know what you’re thinking — lmao, TCF. Yeah, their bill pay was garbage, their online banking from the 90’s, etc. I can’t speak for the interface now, but one thing that stuck out to me was the password length limit.

I’m done calling companies out now…

…Mostly because I don’t have more examples from the top of my head. When you see stupid password policies in place, it is generally in place because of a poorly configured WAF, or poorly built site. They are worried you’ll pass variables or SQL injections into their software so they filter the characters you use. Properly hashed passwords are completely inert — they are made up of hexadecimal letters without spaces, they will not execute as code.

Oh — One more thing, password resets:

If you reset your password and you get an e-mail back with your password, then they are clearly storing it WRONG. Change all of your passwords (except this site) and stop using it immediately. Close your account if possible. This site, once breached, will present no difficulty to anybody wanting your password.

Finally: Security questions suck really bad. Tell me what your favorite flavor of ice cream is in the comments!

What is a Password Hash?

What is encryption?

Encryption is a reversible message obfuscation technique which applies keys or mathematical models against a string of text. The key here is that, with the proper password or key, you can retrieve the original contents of the message.

Remember making up codes like “A=Z, B=Y, C=X” in school (this is a ROT13 Caesar Cipher by the way)?

That is encryption. Horrible encryption, since it is really easy to break, but it still counts.

What is Hashing?

Hashing is an irreversible message digest technique which applies mathematical models against a string of text. The same string of text will always generate the same output hash.

Let’s use MD5 because it’s old and people will comment on my blog if I mention it:

If I MD5 the word “hello”, I get the string “5D41402ABC4B2A76B9719D911017C592”

Go ahead, try it for yourself!

Every time you run a word through a hashing algorithm, it comes up with the same value. In theory, you can never “decrypt” a hash since the original information is no longer stored in it, just a representation of that data. This is the formats best selling point, and also it’s greatest weakness.

Password hashes, if unsalted/unpeppered, are vulnerable to these issues right out the gate:

  • Collisions, since we are using a limited amount of characters (in the case of MD5, 32 hex or 128-bits), it would be fundamentally impossible to ensure there is no collisions when hashed strings are both longer and shorter than 32 hexadecimal bytes.
  • Precomputed hashing tables “Rainbow Tables” — With enough time or storage, it is trivial to generate an MD5 hash of every common password (these lists are very easy to get). It is easy to reverse MD5/SHA1/any improperly handled hash. One of the biggest threats to password hashing is evolution — it used to take a “long time” to generate an MD5 hash, now GPUs can spit them out at astonishing rates. When your password is leaked by a company improperly storing your passwords, this is usually the first step — reverse all of the hashes.

 

What is a salted or peppered hash?

Due to the risks of precomputed hash tables, programmers have to work around the users. People will still pick terrible passwords that rainbow tables will contain. For this reason, a properly salted password is one that contains a randomly generated string for each password on the site. This is important, as using the same salt is as good as using no salt. People will get an export of your database, and generate a new table specific for your application. Having a salt for each password drastically increases the time to successfully attack your userbase (this is where password expiration come into play).

A peppered hash is a bit more uncommon, but still has it’s place. This value is an additional salt that exists only in the software. These are generally common across all passwords or are generated from other repeatable values. The purpose is layers — if the database leaks, and the pepper didn’t, it will be harder to get a password.

What is a Password Hash?

Finally — the question the post was made to answer. A password hash is simply a representation of your password that is repeatable and difficult to recover for the owners of the system and for attackers.

When you create an account, your password is hashed, therefore the site has your password but stores it in a secure manner.

When you log into the site later on, your password is again hashed and that hashed value is compared to the one from the time you created your account. If there is a match, you’re logged in. If not, it is “Forgot my Password” time.