Incidents

Hotmail: Your Password Was Too Long; We Fixed it For You

Earlier this year, about 6.5 million LinkedIn account password hashes were published on a hackers’ forum. The hashes were simple SHA1 digests computed from the user’s passwords, as stored into the LinkedIn backend infrastructure.

It didn’t take long for hackers to start cracking them, with over half of them cracked in almost no time.

There are two main reasons why such fast cracking was possible:

* the usage of the SHA1 function itself
* fast GPUs

Let’s take a look look at both.

The SHA1 function was mainly designed to replace the weaker function MD5. It was created to be fast, and indeed it is. On an AMD / ATI 7970 graphic card, “hashcat” (see https://hashcat.net/oclhashcat-plus/) calculates a bit over two billion SHA1 hashes per second. This means a lot of combinations can be tested in a very short time.

To overcome this “problem”, modern and more secure algorithms exist, such as the sha512crypt function used in Ubuntu and recent versions of Fedora Core Linux. Instead of 2 billion hashes per second, the same GPU card cracks only a bit over 12,000 sha512crypt combinations per second. For instance, checking one billion sha512crypt combinations takes about 24 hours; but less than 1 second for SHA1.

Because of today’s fast GPUs, one good advice when it comes to security is to choose a complex password, that:

* includes both uppercase and lowercase chars
* includes at least one space character
* includes numbers
* includes several symbols such as !@#
* it is not based on a known word
* it’s at least 12 chars in size, but the longer the better

Many of the people I know use passphrases that are between 20 and 50 chars in size. This is a good advice which makes it unlikely that even in the event that your password hash is leaked, nobody will crack it.

Imagine my surprise today when I tried logging into an older Hotmail account and got the following:

Microsoft account passwords can contain up to 16 characters. If you've been using a password that has more than 16 characters, enter the first 16.

Microsoft account passwords can contain up to 16 characters.
If you’ve been using a password that has more than 16 characters, enter the first 16.

My previous password has been around 30 chars in size and now, it doesn’t work anymore. However, I could login by typing just the first 16 chars.

This limitation is well known (see Graham Cluley’s excellent post on the password limits of various services) however, what caught my attention was that by cutting the password to 16 chars, it would work.

To pull this trick with older passwords, Microsoft had two choices:

* store full plaintext passwords in their db; compare the first 16 chars only
* calculate the hash only on the first 16; ignore the rest

Storing plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password.

To be honest, I’m not sure which one is worse.

PS: My teacher said always think positively and try to end with an optimistic note. So here goes: “Thanks Google for GMail”.

Hotmail: Your Password Was Too Long; We Fixed it For You

Your email address will not be published. Required fields are marked *

 

Reports

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

Subscribe to our weekly e-mails

The hottest research right in your inbox