A lesson about password safety
Hey Steemit!
Today: a lesson about password safety. In my last post, I covered the more beneficial side of hacking, and went over how a university student helped his classmates keep track of registration openings. In this post, we're going to talk about hacking passwords methodically (no rainbow tables involved).
Password Security
Do you think that you have a secure passphrase? That's great! Just don't share it (or anything similar) on the internet, or you could have your account compromised.
Source: Michael Lynch's blog
Enter Michael Lynch, a software engineer with a smart understanding of algorithms and libraries. While messing around on forums earlier this month, he stumbled on a thread where a user was complaining that they were locked out of their Sia wallet. Frustrated, the user posted what they thought their incorrect wallet passphrase was, along with the little tidbit of information that they may have ~US$2,000.00 in the wallet.
I'd imagine that this was the part where Michael spat out his coffee (or whatever he was drinking) and got to work.
The Target
A Sia wallet with an incorrect passphrase.
The Approach
Michael knew that he had little time to act, fired up his IDE and got to work. The user had told the world that they hand wrote their passphrase when it was auto-generated for them, which helped Michael formulate his plan.
For those of you who don't know about Sia: it's a cryptocurrency that revolves around decentralized file storage (that's a really rudimentary description). It's also open-source, which means that its coding is available online. This includes a dictionary of words that are used to auto generate pass phrases.
Can you see where this is going yet?
Using some terminal-foo, Python, and a Python library that was made to measure the difference between 2 phrases, Michael was able to compare the user's incorrect passphrase to all possible dictionary terms. Since the user stated that they wrote the passphrase out, Michael figured that they probably miswrote a word. If he was right, his Python code would be able to pull up some possible alternatives to the passphrase, which he could test out in no time.
He was right.
The Result
The Sia wallet was cracked with under 100 lines of Python code (if you don't count the length of the dictionary being used), thanks to the user's post. Just like that, Mr. Lynch was able to access another individuals digital wallet. Thankfully, Michael was an ethical hacker, and was kind enough to return the Sia to the user, free of charge.
If he decided to take the money, I doubt we'd be hearing about the story at all!
Take-away
Michael is a real hacker, not just someone who knows how to run a program and press a few buttons to break into a system. He coded an algorithm that searched an incorrect passphrase for its error so that he could find out what the real passphrase was. He used a combination of programming skills and personal interactions to figure out how to crack the password, and was able to do it all within a few minutes.
Passwords are only as secure as the person who made them and the system they're stored on. Michael's more detailed post about his encounter with the Sia wallet owner is here for your reading pleasure (he also shares some of the code he ran and outputs he received, if you're curious).
I'm sure that the wallet owner was incredibly happy not to have been taken advantage of, and I hope they learned their lesson. If you didn't know already (and I'm sure you do, because you're here): make sure you keep your password secret. Don't share even a portion of it with anyone else, or you could end up losing everything.
Like my writing? Give me an upvote, follow me, or let me know in the comments down below! I'm trying to find my voice, and I'd appreciate any feedback you have.
Interesting.
I once learned how to code in html but I am too afriad what that would unleash upon the world