Uncategorized

[PoC] Partially random passwords: or how to protect users passwords from keyloggers with partially random passwords

One of the issues we all face when we login to some online accounts especially on public computers, or on any computer that we do not own, is that there is always a risk to get our passwords stolen especially with keyloggers. If a hacker gets a “copy” of your password, she can log in to your account and do whatever she wants.

As always, using 2 factor authentication can mitigate this issue, since the hacker needs to access your phone as well. But what if using 2FA is not an option, and we want to protect the user even in this case, can we detect,when the hacker tries to login, that it is not the real user but rather somebody who stole her password who is trying to log in?

Partially-Random passwords

One solution for this problem is to use partially-random passwords with a random part that is different each time.
What I mean by that is the following:
let’s assume that my password is 123456789, but when I try to login I will not use this password directly, but rather I’d add some random string to the beginning or to the end (or even in the middle) like this:
564564123456789

and when we receive this password (let’s call it the “raw password”), we will strip away the random part and use the remaining part as a password, and we save a hashed version of this raw password in a used_passwords table. And next time the same user tries to login, we check if this raw password (the real password + the random part) was used before, and we deny access to the account if we find it.
The code will look like this:

public function postLogin(Request $request)
    {
        $data = $request->all();

        $email = $data['email'];
        $rawPassword = $data['password'];
        $user = User::where('email', $email)->first();

        $password = $this->getRealPassword($rawPassword, $user);

        if (Auth::attempt(['email' => $email, 'password' => $password])) {
            if (! $this->usedBefore($user->id, $rawPassword)) {
                $this->saveRawPassword($user->id, $rawPassword);
                return redirect('/home');
            } else {
                Auth::logout();
                return redirect()->route('login')->with('authentication-issue', true)->with('used-password', true);
            }
        } else {
            return redirect()->route('login')->with('authentication-issue', true);
        }
    }

What if the hacker knows exactly which part of the password is random?

This is a valid concern, if our hacker knows that a particular website that implements a partially-random password technique is stripping away the first 6 characters each time, she will just do the same and log in to the victim’s account.

The solution to this problem would be to allow the user to chose herself the length of the random part and its position in the password, and each time we attempt to authenticate a certain user we will use her own “rules” (i.e the position and the length of the random part changes from user to user).

We can even add multiple random parts in the same password, which make extracting the real password from any captured password even harder.

And we can even combine this concept of partially-random password with the concept of password-based roles and action I described in my previous article, to add another layer of security to the accounts by triggering some specific actions if the password is used for the second time.

 

You can find the repo (demo) of this concept here:

https://github.com/djug/partially-random-passwords

  • Shadi Habbal

    Interesting idea but is vulerable to different attacks, bruteforcing being the simpler one:

    Let “P” be a relatively long password of 15 chars.
    Let “S” be a random salt of 10 chars.
    Let “H” be the comb of “P.S” with disregard of the offset.

    An attacker can brute-force the login combination with a max of “X” trial-and-errors where: X = (n(n+1))/2-1
    and: n=len(H)

    For (P=15, S=10) => X=324
    For (P=32, S=32) => X=2079

    With Python it was possible to achieve around 1000000 requests in ~10 minutes, so.. you get the idea 🙂

    • djug

      the whole idea is to stop the hacker from the first attempt, and either lock the account or notify the user so she can change her password. especially if you combine this with the concept of Password-Based user roles and triggers/actions I explained in my previous post: http://youghourta.com/2018/02/16/poc-password-based-user-roles-triggers-actions-use-different-passwords-multiple-roles-account/

      besides, any decent authentication would implement a throttling mechanism, or ban a certain IP from trying to login after a certain number of failed attempts

      • Shadi Habbal

        There are always ways to bypass throttling. Yes it could be a good and simple way to detect intrusion attempts, but if you lock the account then you have a Denial of Service issue and if you simply notify the user then I could simply distribute my attacks on lots of IPs at the same time and crack the login in seconds, how would notifying the user help then?

%d bloggers like this: