Friday, June 8, 2012

eHarmony's response: Really weak

Just like LinkedIn, eHarmony found themselves victim to hackers this week. But unfortunately (and again, just like LinkedIn), the hack revealed that eHarmony had failed to take even basic precautions to secure users' passwords.

Read all about the security gaffe in my blog post here.

And here comes eHarmony's not-so-mea culpa. It's even less inspiring than LinkedIn's official comment on the matter.

eHarmony says that "a small fraction of our user base has been affected" which is probably half-true since it seems that only 1.5 million of their passwords were leaked (presumably eHarmony has a much larger user base than this). Though they are probably also deluding themselves (or their users); the hackers only released the passwords that they needed help cracking. And, indeed, help did arrive.
Less than two and a half hours later, someone with the username zyx4cba posted a list that included almost 1.2 million of them, or more than 76 percent of the overall list. [...] As of Tuesday, following the contributions of several other users, just 98,013 uncracked hashes remained. (ArsTechnica)

eHarmony, liked LinkedIn, has to scramble to save face here. They can't just come out and say, "we were incompetent, sorry." But their actual comment, "Please be assured that eHarmony uses robust security measures, including password hashing and data encryption", is just a blatant falsehood. Password hashing on its own is not "robust security"; password hashing, salting, and iterating is robust. Had actual "robust security" been in place, the hacker community would not have been able to crack those 1.5 million passwords as quickly as it did.

But it gets worse: "We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches." Oh, yes, let's throw every techie-sounding term out there to impress our users! The one that really irks is "load balancers". Come on, eHarmony, you have got to be kidding with that one. Your load balancers are part of your "sophisticated security" measures? Load balancers do what it sounds like they do - they evenly distribute website traffic so no one server is overburdened. And what role do load balancers play in securing user passwords? None. None whatsoever. Lame. So, so lame, eHarmony.

Not "sophisticated," cut the BS
For all their claims of "sophisticated security" they failed to make use of the most basic password security best practices out there. And these aren't new, cutting edge techniques; the kind of encryption best practices we're talking about are almost ancient by tech standards. But somehow eHarmony and LinkedIn's developers missed that memo.

It's clear that their PR department is intent on painting them as the helpless victim here. The magically powerful hackers broke through their "robust" and "sophisticated" security and had their way with poor eHarmony. But the reality is that while, yes, anyone can get hacked, this is why you take all reasonable measures to properly encrypt your user passwords. They did not take all reasonable measures. They followed only one of the three best practices for securing passwords and now have a black eye because of it.

The hackers broke in, shame on them, but they should have found nothing more than a collection of millions of additional locks. They didn't. Shame on eHarmony. Now own up to it.

LinkedIn's response: Weak

After LinkedIn's password hacking fiasco this week, they released a blog post describing the incident and the steps they're taking to recover from it.

It's not very impressive.

The Real Lesson of the LinkedIn Password Hack, pt1

Technology is confusing but encryption and the mysterious world of hacking exist on a whole other level. It’s Matrix-like tech voodoo. 

Hackers are a 21st-century boogeyman. They possess incomprehensible powers, ninja-like access to any digital domain they choose. They can outsmart your cleverest developer. If a hacker wants your company’s data, you are powerless to stop it. Right?

Probably, yes (sorry, this post isn’t about reassurances). But that’s not the lesson of the LinkedIn debacle.

LinkedIn was hacked. It happens. But the encoded passwords that the hackers posted revealed something much more disconcerting: LinkedIn’s password encryption was awful. Borderline criminally negligent, in fact.

The Real Lesson of the LinkedIn Password Hack, pt2

In part 1 I explained the logic behind the first password best practice that LinkedIn was just barely smart enough to use. Now we explore the simple - yet shockingly effective - ways to further enhance password security.

Password Best Practice #2: Use a random salt to produce unique hashes.
A “salt” (no clue why it’s called this) is simply extra random text that is added to your password. Instead of encoding “mypassword” the site will encode “mypassword/2dsdjkl23r”. Notice the different result:

91dfd9ddb4198affc5c194cd8ce6d338fde470e2 = “mypassword”
eb8b3a04fb5bb65ecc02f40e83fa4d8065b26af6 = “mypassword/2dsdjkl23r

And every user gets her own random salt. So all of the fools who used the weak “mypassword” will end up with different encodings:

6097a22f84896b07dcd240f18b2a79ff84bec499 = “mypassword/8sadfljk23j2d08
85673bdb67447ca772199344de3fbb9ddb360368 = “mypassword/jkl34rjsdf89kl

So even if one “mypassword” account is compromised, the other “mypassword” fools are still safe, for now. Better.

But even this isn’t perfect.