Here’s a blow-by-blow account of a security researcher’s attempts to crack the compromised Linkedin database. This is a very good example of ethical hacking.
It’s good to get into the mind of someone who found the password m0c.nideknil in the list. At first glance, it looked like a decent password to me. It’s 12 characters long, with one special character and a number. Then I read on, and they explained the problem with that password: it’s “linkedin” backwards with four garbage characters. So it’s hard for a human to guess it, but easy for a computer algorithm to guess.
If a good guy takes that approach, it means some of the bad guys take that approach too.
Linkedin messed up because they encrypted their passwords in an entirely predictable way that anyone who can open a command prompt and type md5sum can duplicate. Linkedin failed to add any randomness to the encryption, which is standard security practice. Not adding randomness is like having a doorknob with a lock, and never bothering to lock the door.
The only way to save yourself in this situation is to use extremely long, complex passwords. I once worked for someone who assumed that the password database would be stolen, so they required hopelessly complex passwords. So we had specific rules to protect our passwords in the event that someone swiped the database.
This ethical hacker’s methodology gives some insight into that policy, which remains the most draconian password policy I have ever seen. The policy required 16 characters minimum, 2 uppercase, 2 lowercase, 2 numbers, and 2 special characters. No keyboard patterns (think 1234qwerty!@#$QWERTY or 1q2w3e4r!Q@W#E$R). No dictionary words, period.
And then the person implementing this decided to impose an extra rule or two on top of what management required. I never liked her much because she would do things like this, and then visibly enjoy it when she saw it making our lives difficult, but never explain what her reasoning was, if there was good reasoning. She disallowed words spelled backwards. And then she cackled like the Wicked Witch of the West when she found out it took us an hour to come up with a new password every 45 days, because of course if you’re going to institute a draconian password policy, why not make the password life short?
We argued that this wasn’t a good idea, because you were shrinking the pool of possible passwords by disallowing anything that has a word in it–especially a word spelled backwards.
Another reason this wasn’t a good idea was because one person would figure out a password that worked, then share it with everyone else. I won’t say everyone else used those shared passwords, but I’m sure some did. Coming up with passwords that worked became a game, and not an easy one at that.
But now I understand the logic. Passwords containing dictionary words, spelled forward or backwards, are easy for a computer to guess. A 16-character password containing an 8-character dictionary word is, in effect, a 9-character password. You guess every possible dictionary word, along with every possible character combination for the remaining 8 characters. Disallowing the dictionary words shrinks the pool of possible passwords, so you lengthen the password requirements to make up for it. It could be the original target was 12 characters, so they lengthened it to 16 in order to keep the password strength where they wanted it.
Now, I’m not certain she was aware that this was a good idea. Other people I worked with at the time would argue she was not. If she was aware of it, she would have picked up some much-needed goodwill if she had spent five minutes at the whiteboard explaining why she implemented the policy the way she did.
Those of us who were having to remember passwords like j*g^P0]b!6Qx$7Hn still wouldn’t like it, but at least we would understand. Being a good security person doesn’t mean you have to enjoy your users’ suffering.