James Steidl - Fotolia
Even while one researcher attempted to highlight the need for better password security, other researchers found an opportunity to prove how easily SHA-1 hashes can be recovered.
Troy Hunt is well-known for running the website Have I Been Pwned (HIBP), which compiles data from data breaches in order to allow users to easily check if any of their passwords have been cracked. Hunt wanted to give users "more options" to search their passwords, so he added an option to HIBP allowing users to search the SHA-1 hashes of passwords. This is what Hunt did for nearly 320 million passwords he added to HIBP recently.
Hunt admitted using SHA-1 hashes was not the most secure path.
"What this means is that anyone using this data can take a [plaintext] password from their end (for example during registration, password change or at login), hash it with SHA-1 and see if it's previously been leaked," Hunt wrote in a blog post. "It doesn't matter that SHA-1 is a fast algorithm unsuitable for storing your customers' passwords ... because that's not what we're doing here, it's simply about ensuring the source passwords are not immediately visible."
Both "for research purposes and, of course, to satisfy [their] curiosity while using this opportunity as a challenge," the CynoSure Prime password research collective attempted to recover the SHA-1 hashes used on the passwords dumped by Hunt.
"Out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate," CynoSure wrote in its analysis. "In addition, we attempted to take it a step further and resolve as many 'nested' hashes (hashes within hashes) as possible to their ultimate plaintext forms. Through the use of MDXfind [a proprietary hash finding utility] we were able to identify over 15 different algorithms in use across the pwned-passwords-1.0.txt and the successive update-1 and update-2 packages following that."
Kyle Hanslovan, CEO of Huntress Labs, a cybersecurity managed services provider based in Baltimore, said, "The techniques used by CynoSure Prime are not overly sophisticated; thus, it's extremely likely threat actors have done the same. What's most impressive about CynoSure Prime's research is the speed they normalized the data, cracked the hashes and analyzed the results."
Rod Schultz, chief product officer at Rubicon Labs, a provider of secure identity for internet of things based in San Francisco, noted the SHA-1 hashes had not been reversed, and SHA-1 has been deprecated due to "its vulnerability with collisions."
"A hash algorithm maps information to what is supposed to be a unique fingerprint -- a mapping space. When a mapping is found to not be unique, then we call this a collision, as two different pieces of information are now colliding in the mapped space," Schultz told SearchSecurity via email. "It is possible to take a fingerprint and find the original password, reverse the mapping, but only with precomputed tables. This is what the researchers have done, and it's possible because SHA-1 has a mapping space that is no longer big enough."
Experts say SHA-1 hashes don't increase risk
Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, a data security software company based in Hawthorne, N.J., said in his own research over the years, he has found that many passwords released by Hunt "were already known about and exchanged on the dark web."
Leigh-Anne Gallowaycybersecurity resilience lead, Positive Technologies
"These were passwords that had already been compromised in real-world breaches, so Troy's [Hunt] call was not just a personal one, but one based on his best judgement having been in the information security field for some time," Gumbs told SearchSecurity. "Any additional measures to obfuscate the information while allowing checks against the data continue to allow some to think that SHA-1 is still acceptable for use. Could Troy have done things differently? Possibly, but the outcome would not likely lead to a renewed conversation about password security."
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, an enterprise security company based in Framingham, Mass., said it's important to remember that "none of the usernames associated with the passwords or the passwords themselves were released by crypto-busters."
"These only become an issue where they are associated with a username or other piece of personal information that could lead to a nefarious individual obtaining the username, which would still require some effort to reverse-engineer," Galloway told SearchSecurity. "In order to obtain the password for a user, you would need to know the salt -- a random piece of data -- used in the generation of the hash itself. Also keep in mind that this data is associated with accounts that have already been potentially compromised and is, therefore, somewhat dated."
Gumbs said SHA-1 has been known "since 2005 to not be a secure mechanism for hashing passwords any longer."
"And since the first proof of concepts that found weaknesses in SHA-1, several more have been produced in the last decade," Gumbs said. "There is no additional risk added by the researchers; in fact, they are likely doing more to bring awareness to the very real and existing risk of continuing to use the hashing function."
Learn how collisions completely break SHA-1 hash function.
Find out what to do when cybersecurity breaches seem inevitable.
Get info on how Mozilla's SHA-1 deprecation will affect enterprise.