Peter Nixey

@peternixey

So Dropbox got hacked

Websites who have accidentally leaked my email/password in the past

News out that this week that all of Dropbox’s email addresses and passwords were hacked about four years ago. Bummer. Were you one of those people? Well if you had a Dropbox earlier than 2012 then yes. If you’re unsure then go to https://haveibeenpwned.com and you can check.

So you’ve changed your Dropbox password now? Good, well done. Dropbox is now safe again for you. Quick question though — was that the only place you used that email/password combo. You know, matt99@gmail.com / monkey, Or did you use it for Amazon / Apple / Gmail or any of your other accounts.

Before we go any further let me say that in this case you are probably safe even if you did. This is because Dropbox carefully encrypted your password. But treat this as a fire-drill because this is not always the case. Dropbox was hacked as a result of an earlier hack on LinkedIn. The LinkedIn passwords were not all securely encrypted and one of them belonged to a Dropbox employee who had used the same username and password inside the Dropbox company network. It was that password which was used to get into the Dropbox network and then to get access their database and passwords.

Now I’m about to explain to you in very simple terms how a website encrypts your password and why it makes a difference when you use a strong one.

Are you listening? Good then I shall begin.

So this is the big problem. People use the same passwords everywhere. Which means when there is a data breach like this, the passwords can often be used elsewhere (like the LinkedIn ones were). And what hackers do when millions of passwords get hacked is to try them en-masse against interesting sites where they can make money, like Amazon and Apple and Paypal. Or use them to hack into company networks like Dropbox. Or yours.

If you used different passwords everywhere then all they’ve got access to is the original site that was hacked. But if you don’t then all of a sudden your Apple, Amazon and Paypal accounts are all hacked too. All because one employee in Silicon Valley used the same password at two websites. Scary huh?

How a website secures your your password

When you sign up to a website and set a password, the site stores that password so it can check it next time you come back. This happens in one of three ways:

It stores it without encryption (very bad)

This is a just like writing it down in a spreadsheet with no password protection. This is super insecure as when someone gets access to the spreadsheet they literally get your password. There are plenty of old or budget sites that still do this so always expect the worst. The hacker doesn’t need to do anything to decrypt your password. They just find them and then sell them on the darkweb to people who will monetise them.

It encrypts it using a simple form of encryption (better)

This is one step better. Your password is now encrypted which makes it hard to see what the original was. Encryption is hard to undo and computationally expensive.

Well except not so much now… That used to be the case until one day some dude said — hey, why don’t I encrypt ALL OF THE WORDS and then I’ll have a big table of words + encrypted_words. I don’t need to bother decrypting a password any more I just look up the encrypted version and see what the original was. This is what’s called a rainbow table.

A rainbow table showing the encrypted password (hash) and the original version (clear)

These rainbow tables list all common words and passwords along with their encrypted versions and then let someone look them up the other way around. So let’s say you’re a hacker and you’ve got yourself the encrypted version of a password: d0763edaa9d9bd2a9516280e9044d885. All you need to do is take that and go to a site like Crackstation where you can paste it in (try it it works) and it’ll look it up and tell you what the original password was. That’s the encrypted version of the word monkey.

You found me

It encrypts it using a salt (best)

Rainbow tables don’t cover all of the possible letter and number strings in the world — it would just be too hard to do and take too much computing power (and would also be impossible). So they have to do only a limited selection of letter and number combinations — like all words or phrases. The reason rainbow tables work is that most people use simple passwords. And many people use AWFUL passwords.

The top 10 passwords of 2015 were:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball

(monkey was down six at #18)

Now remember a rainbow table is made by going through a list of passwords, encrypting them in advance (time consuming) so they can be looked up (quickly) later. However there isn’t the computing power or the disk space to create a table of all possible number and letter combinations. So a rainbow table only covers the spectrum of passwords the originator had the budget to encrypt.

The next step up in making your password less hackable is to make it less likely that the rainbow table will contain it. You do that by making using a longer or less common password (I’m sorry but football?). Or… the website can do this for you. They do this by generating a big fat random letter/number combination and stick it on the end of your password for you before they use it.

Every time you create a password at a website that does this, the site will also create a random string for you — say 51dc30ddc473d4. It then adds that string to your password so it becomes monkey51dc30ddc473d4 and then it encrypts it.

When you next log in it does the same thing again. It takes the password you submitted, “monkey” and adds it to the salt (which it stores separately), “51dc30ddc473d4” , encrypts the combination of the two of them and checks the result against the stored, encrypted version. If it matches the site lets you in.

Your password: monkey
Salt: 51dc30ddc473d4
Password and salt: monkey51dc30ddc473d4
Encrypted version
11EC055CD41848A7D684E104525C8439

Now try entering this at Crackstation. It won’t find it. Because the dude who created the rainbow tables didn’t originally try encrypting monkey51dc30ddc473d4 because that would have just been too expensive (literally a lot of computing cost).

So the point of this is that it basically makes it too expensive to generate a lookup table that will let you unwind the password/salt combo (remember computers may be fast but they cost money).

For the love of god use a password manager

The long and short of all of this is that when a big site gets hacked and passwords get released, hackers can unwind those encrypted passwords to get the originals. And then they try them at all the other big sites. So if you were part of the LinkedIn hack and used the same password at Amazon a hacker is going to be able to use your LinkedIn username/password to get into your amazon account.

I would say you should consider getting a password manager. But you shouldn’t consider it. You have to get one. And if you don’t then you’re putting your head in the sand deeper than a Trump-voting Brexiter. So stop queueing up to buy Nigel a pint at the bar, shake the sand out of your toupé and pay attention for a minute.

1Password is the manager I and lots of other people I respect use and it has three big benefits:

1. It makes it easier to enter passwords

It works on OSX, Windows and on your mobile device. There’s are great Chrome and Safari plugins as well as an iOS and Android app that makes it easy to use on mobile. You just push a button to enter your username and password at a website. On iOS it uses thumbprint login. It’s sweet.

2. It makes it easy to create different passwords for different websites

The way to make yourself more secure to breaches is to use different passwords everywhere. That way when one website gets hacked it’s firewalled from all of your other website accounts. If you have to remember passwords then that gets really hard but if you have a password manager it’s trivial.

3. It helps you generate secure passwords that are harder to crack

Every time you come to a new site 1Password will offer to generate a new super-secure password for you, like : LzD9p]hpaFVGh3=f+. Which you are unlikely to find in many Rainbow tables.

See whether you’ve already been hacked

Still not convinced of the risk? Go to https://haveibeenpwned.com/ it will tell you whether a site with your email address has ever been part of a database breach. Mine has at least 4 times — Adobe, Dropbox, LinkedIn and Tumblr have all had a user/password from me when their databases were cracked.

Do yourself a favour and invest in a password manager and in gradually converting your existing accounts to using different unique passwords. You don’t have to do it all in one go and it makes life easier in the short term (so nice not having to remember passwords) and safer in the long term. https://1password.com/ (I get nothing if you sign up — just doin’ this to share the love)

Website that shows you whether your email was compromised in a hack: 
https://haveibeenpwned.com/

Password Manager that protects you
https://1password.com/

Great story Peter — who are you?

Nice of you to ask. I’m the founder of Copyin.com which is re-engineering how email groups and email distribution lists work inside companies. If you’re interested then get in touch.

Next generation email groups
Topics of interest

More Related Stories