Insights For Success

Strategy, Innovation, Leadership and Security

password

SCrypt vs PBKDF2: A Comparative Analysis for Security Professionals

GeneralEdward Kiledjian

Key derivation functions such as SCrypt and PBKDF2 are used to turn a user's password into a cryptographic key that can be used to encrypt and decrypt data. The two algorithms are designed to be computationally expensive, making brute-force attacks on large lists of passwords difficult.

SCrypt and PBKDF2 differ significantly in the manner in which they generate keys. To generate keys, PBKDF2 applies a cryptographic function (such as SHA-1 or SHA-2) repeatedly to the password and a salt value. If the number of iterations is increased, the process will become more computationally expensive, but it will also take longer to generate a key.

SCrypt, on the other hand, generates keys using a method called "memory-hardness." A large amount of memory is used to perform calculations, making it more challenging for attackers to use specialized hardware (such as GPUs) to perform brute-force attacks. In addition, SCrypt allows users to specify a larger salt value, which increases the number of possible keys that can be generated and makes precomputation attacks more difficult.

Memory-hardness is a property of specific cryptographic algorithms that makes them computationally expensive to run, specifically in terms of memory use. Using memory-hardness, the algorithm becomes more resistant to attacks utilizing specialized hardware, such as graphics processing units (GPUs) or application-specific integrated circuits (ASICs), capable of performing many calculations simultaneously and optimized for specific purposes. By increasing the memory requirements of the algorithm, it becomes more difficult for attackers to perform brute-force attacks on these types of hardware.

Another difference between SCrypt and PBKDF2 is the number of iterations recommended. While PBKDF2 recommends a minimum of 600,000 iterations for adequate security, SCrypt does not make such a recommendation. Instead, it is determined by the cost parameter, which can be adjusted to increase or decrease the computational cost.


Keywords: SCrypt, PBKDF2, key derivation function, security, password, encryption, decryption, cryptographic key, brute-force attack, memory-hardness, iteration, salt value, precomputation attack, cost parameter, specialized hardware, threat model, security professionals, use case.

What is PBKDF2?

GeneralEdward Kiledjian

You have probably read about PBKDF2 if you have read any article discussing the LastPass hack or reviewing the security of a password manager. For non-technical readers, I wanted to write a quick explanation.

PBKDF2 (Password-Based Key Derivation Function 2) is a widely used method of protecting passwords.

A key derivation function such as PBKDF2 is designed to make it more difficult for an attacker to crack a password, even if they possess the hashed password value. This is accomplished by adding a "work factor," or iteration count, to the password hashing process. Iteration count refers to the number of times the hashing function is applied to the password, making cracking the password much more computationally costly.

PBKDF2 is widely used in a variety of applications, including online services, financial systems, and mobile devices.

With PBKDF2, the user's password is concatenated with a salt and the iteration count, and the result is then hashed using a cryptographic hash function such as SHA-256. The salt, the number of iterations, and the resulting hash value are then stored in a database. Upon logging in, the system uses the same salt, iteration count, and hash function to compare the entered password with the stored hash. The user is granted access if the values match.

It is important to use a strong and unique password and keep the salt and hashed values secure. Even though PBKDF2 is considered a strong method, more advanced key derivation functions such as bcrypt and scrypt are now available and recommended where more stringent security is required.

Keywords: PBKDF2 (Password-Based Key Derivation Function 2), Password protection, Key derivation function, Hashed password, Iteration count, Cryptographic hash function, SHA-256, Password storage, NIST guidelines, Security, Encryption, bcrypt, script, Work factor, Data privacy, Information security

How to protect your online accounts from breaches

GeneralEdward Kiledjian
simon-maage-xw-vvvXq3rA-unsplash.jpg

Here's a personal suggestion that will help secure your online accounts and notify you if a service has been breached.

You should first use a good password manager. I personally use 1Password. Try BitWarden if you want a free open-source alternative. Start using a unique and complex password for every site you log into online.

The majority of users will use a long and unique password for each site then log in with their "main" email address. This is good, but it is better to use unique masked email addresses for each site.

How do you create unique email addresses for each login?

  1. If you live in the Apple Ecosystem, you can use their free Hide My Email functionality. In spite of the convenience, ease of use, and reliability of this method, you end up locked into Apple's ecosystem even more. Depending on your situation, this could be an ideal solution or a problem.

  2. AnonAddy is another option for anonymous email forwarding. A free and open-source project, AnonAddy can be self-hosted or you can purchase their hosted service (tiers include free, $1 a month for their light service, and $3 a month for their pro service). If you trust AnonAddy, it is a reliable and cheap service. Third-party services (not Apple or Google) also free you from ecosystem lock-in. I tested their service for six months and found it to be very reliable.

  3. The final option is to use a service other than Google that provides masked email addresses. One of my email services is Fastmail, and I often use their masked email service directly or through 1Password.

 I have a number of web domains I can use to generate the masked emails, but one of the keys here is to blend in (so I use @fastmail.com or one of the generic domains offered by other services). The reason I do this is to prevent attackers that obtain a website's user list from tying it back to me (easily).

Summary

Each site I access has its own masked email address and a machine-generated password that is long and complicated. I also use 2-factor authentication if it is available.

 As soon as I start receiving strange emails on one of my masked addresses, I know the site has either sold my information or a hacker has breached their site (and they may not even be aware of it yet). The last year I have detected and notified 2 businesses of breaches.

Billions of passwords, files and cookies were leaked

GeneralEdward Kiledjian
setyaki-irham-QGDsM8qwkEA-unsplash.jpg

I have written about general user security several times over the last years, and the recipe is always the same: 

  • Install a good anti-malware product

  • Make sure your applications and operating systems are patched

  • Don't click or open unexpected or unknown links/attachments.

Even with the best practices, there is malware that is stealthy enough to avoid detection.

Recently security researchers from Nerdlocker followed a trail left by sloppy hackers. To everyone's surprise, they found 1.2TB of files, cookies, 900K images, 600K word files and credentials stolen from over 3M computers. The data was obtained through malware that stole data from user desktops and downloads folders.

  • The data is relatively fresh, and ~30% of the cookies were still valid.

  • 1M website logins (including the 4 horsemen of the internet) Amazon, Facebook, Twitter and Gmail. 

So what next

The malware is stealthy and cannot be easily detected by antivirus products. 

However, the information has been added to the HaveIBeenPwnd service. 

As previously described, you visit the site, enter your email address, and it will tell you if you are part of this breach (or any other).


How do you protect yourself in the future?

  • Use long unique passwords for each site with the credentials stored in a good password manager (like 1Password and BitWarden)

  • Use a good reputable antivirus, update your software and operating system.

  • Make sure you regularly delete your cookies. I have written about extensions that automate this in the past.

  • Install a good anti-malware product

  • Make sure your applications and operating systems are patched

  • Don't click or open unexpected or unknown links/attachments.


    Links: 

What do you do if your password was hacked?

GeneralEdward Kiledjian
fingerprint-2904774.jpg

This is not a sponsored post and the links are not affiliate links. The links are provided to simplify your journey.

I wrote this post to help the average consumer user.

Many believe bad things only happen to other people, but the quantity and severity of breaches are growing quickly. Once you have accepted that you may be part of the unlucky, how do you know if your information was leaked in a breach?

Was my information leaked in a breach?

First check HaveIBeenPwnd

Security researcher Troy Hunt has created this free resource to check if your email address was part of any known breach.

You simply enter the email address you used to register for most sites and it will give you a green sign (you are not in any data breach) or a red sign (your email was found in a data breach):

Screen Shot 2021-02-15 at 12.57.26 PM.png

HIBP does not store any emails you use to search for breaches, unless you sign up for their automatic notification service. By listing the sites that leaked your credentials, you can determine what other sites may now be at risk (because the majority of you reuse passwords).

Second, you may want to checkout another similar service operated by the non-profit Mozilla foundation called Firefox monitor.

Screen Shot 2021-02-15 at 1.01.43 PM.png

this works the same way as HIBP. You enter your mail and press check. Similar to HIBP, if your email address was in a known leak, they will list the sites (or breaches):

Screen Shot 2021-02-15 at 1.03.04 PM.png

The third source you can check is a site called cybernews

Screen Shot 2021-02-15 at 1.07.28 PM.png

Like HIBP and Firefox Monitor, you enter your email address and the site returns a list of breaches your information was found in:

Screen Shot 2021-02-15 at 1.08.53 PM.png

Unlike the others, this one does not provide a list of the breaches (or number) your information was found in. This could be a good third check.

I recommend checking these sites monthly or using their auto-alert feature, which will email you if your information is found in a future breach.

BIG IMPORTANT WARNING:

If these sites do not find your information in a known breach, it does not mean you are safe. There are probably hundreds or thousands of breaches that occur each year that go unannounced and therefore these sites cannot catalog that information. Always be careful and we will provide some extra insight later in this article.

Be aware of weird account activity

As mentioned above, not being included doesn’t mean you are safe. So always be vigilant with your online accounts. Sites or services with good security controls will detect anomalous activity related to your account and will email you. As an example, if you receive a password reset link, that you didn’t request,

Or if a site emails Askin if you have logged in from a location you didn’t log in from (you log in from the USA but the email says someone from Prague attempted to log into your account). Gmail does this (for unusual browsers, IP addresses or geographic locations).

Sometimes when accounts are taken over, the attacker will change the registered account email so if you try to log into a service you are registered for and it does not recognize your email address, that is an indication your account was taken over.

Another indicator is strange configurations in your email accounts. Attackers want to get into your email because that is how they can reset service account passwords or delete alerts so you are not tipped off they are trying to break into your account. They can either set up filters in your email (to forward emails of interest to them or mark alert warning emails as read and immediately delete them) or they can set up forwarding of your emails to another email address they control.

The main issue is password reuse

The main issue is password reuse. Most users have a handful of passwords they reuse for all the sites they register on. Once an attackers finds that password, they will try logging into other major services (Facebook, twitter, Instagram, Gmail, Hotmail, etc) and will have immediate access.

This is why I recommend using long unique passwords for each site and storing those passwords in a reputable password manager.

  • My favourite password managers (free and paid)

  • five sites to help you generate long, complicated and unique passwords

What do I do if my information was leaked in a breach?

With the quantity and size of breaches, it is likely that your information was leaked in a breach, what do you do now?

  • If you reuse passwords, then the first thing you should do is visit all the sites you use and immediately change the passwords.

  • If you are locked out of your account (if could mean the attackers have done an account takeover), use the reset password functionality to change your password.

  • If you are sure you had a registered account but the system can not find your email address (when you use the above reset feature), it could mean the attackers have changed the registered email address for your account. You will have to contact the support team for the site in question and explain the situation.

  • Another interesting recommendation you don’t see often is to use multiple email addresses. If you are using a password manager (and you should be by now), then why not create a free email address for different groups of services. Maybe one for online shopping, one for social media, etc

Good internet password hygiene

  • Use long, complicated and random passwords for each site. Something like f%[_8s9f579o+*38zjURqjK}GQZ

  • You can also use long passphrase (if you are stubborn and don’t want to use a password manager) but make it unique for each service: 1l0v3*K1nG!*Appl3?P3acH%Umrellas-P1nk!

Most sites use a technique called hashing to store user passwords. This means that they don’t store your password but a mathematically derived result and hackers have to “crack” the hashes to reverse them back to passwords. This cracking function is done with trial and error and is impractical for long and complex passwords. So even if your data is leaked in a breach, they may not be able to reverse the hash and your account may end up being “safe” if you use long and complex passwords.

  • Never reused a password for multiple sites.

  • whenever possible, use two factor authentication to add additional security to your account.

There is a great free site called twofactorauth that has an exhaustive list of sites that allow users to leverage 2 factor authentication and even provide a link to the info page on how to turn it on for many of those sites

Screen Shot 2021-02-15 at 1.40.50 PM.png

The most secure is using a hardware token (my favourite token is the Yubikey ones) and the least secure is SMS. If you are curious why SMS isn’t secure, I wrote an old article about the SS7 attack.

If you choose to use a software token, the one I recommend is Authy by Twilio Authy is free, cross-platform and incorporates good security protection features.