106

My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:

  • Is my understanding wrong, or has my university been storing my password in plaintext?

UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it.

bad_coder
  • 129
  • 4
GB1553
  • 833
  • 2
  • 5
  • 8
  • 45
    Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak? – DarkMatter Mar 05 '19 at 18:16
  • 4
    could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :) – DarkMatter Mar 05 '19 at 18:30
  • 4
    I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters. – GB1553 Mar 05 '19 at 18:33
  • 49
    Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt. – TurkuSama Mar 05 '19 at 18:13
  • 2
    Please do not use comments for extended conversations – schroeder Mar 06 '19 at 15:41
  • 1
    I suggest another possible explanation- nobody hacked anything and they are basing they warning simply on consequential evidence. Did you create your password a long time ago maybe when the requirements were easier ? Maybe they discovered a weakness in their password strength verification that was present when you created your password ? – Rsf Mar 06 '19 at 14:03
  • 13
    Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text. – user3067860 Mar 06 '19 at 19:42
  • 2
    @user3067860 which is why i use phrases that are particularly insulting towards individuals, etc as part of my password. Nice and strong, so the usual rippers, etc shouldn't score a hit, and if they store it plain text I've not yet been called to HR over it :) – ivanivan Mar 06 '19 at 23:31
  • 3
    @GaryBlake wrote "explaining the ways they check..." and "allowed me to run the tests"... What are those ways, and what tests did you run? Was it a test that just retrieves your plain-text-stored password and shows it to you, or was it a tool that attempts a brute force password guessing, or what was it? If they have a tool that easily brute-force-cracks XKCD style passwords, that is something we should know about. – Aaron Mar 07 '19 at 15:44
  • @Aaron People have been cracking such password for much longer than the xkcd comic has existed, with current research even considering grammar and sentence structure to reduce the search space. This is really nothing new. See e.g. [this](http://www.jbonneau.com/doc/BS12-USEC-passphrase_linguistics.pdf) paper for just one example. If you're using passphrases don't pick SVO sentences with proper grammar if you want to avoid any weakness (although in practice pass phrases are still stronger than your average random char password even in that situation) – Voo Mar 07 '19 at 16:41
  • 1
    @GaryBlake, you write in your update that you saw your old password. This means that yes, they are storing students' passwords in plaintext. Maybe not their current password, but since people usually reuse their passwords, they probably have a few students' bank logins there in plaintext. Please go complain. – Ghedipunk Mar 07 '19 at 19:02
  • 2
    @Aaron If your password has any "grammar and sentence structure" to it, at all, then that's really not an "XKCD-style" password, as the whole point of that comic was to recommend selecting several words *at random*, and then easily create a mnemonic from them. If you're making the mnemonic first, then turning it into a password, you've missed the point every bit as badly as the idiots still enforcing special characters and the like. – Matthew Najmon Mar 07 '19 at 22:06
  • 1
    @GaryBlake Did you follow the XKCD format properly? For example, selecting the words via actual random selection (or at least via a good, strong pseudorandom method, since true perfect randomness is pretty much impossible to generate)? If you did, then yea, anything claiming to have cracked that is either just lying outright about having done that, or is attacking weaknesses in their system, not weaknesses in your password. If you did it by just picking four words that you like, then you need to go back and reread the comic, and pay a bit closer attention to the details this time. – Matthew Najmon Mar 07 '19 at 22:10
  • 2
    "which explains how they were able to find it." I'm not sure this is correct - if you had 2 words, yes it would be fairly trivial (maybe 4 millionish guesses, which isn't much for a decent computer) but if it was 4 words, it should have been much harder than they could reasonably crack. – corsiKa Mar 08 '19 at 02:50
  • 2
    @MatthewNajmon it may also be a lamebrained management that thinks "correct horse battery staple" is a terrible password because it contains no caps, numerals or specials. I have a correct horse battery staple passgen, and I made it add caps, numerals and a dash just to satisfy these lamers, and then, Paypal complained because a dash isn't special enough. SMH... – Harper - Reinstate Monica Mar 08 '19 at 03:55

7 Answers7

180

Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • 3
    @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything. – kasperd Mar 06 '19 at 08:15
  • 5
    @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly. – forest Mar 06 '19 at 08:23
  • 1
    @forest Exactly my point. – kasperd Mar 06 '19 at 08:25
66

As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.

Actually, there is: cracking.

There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.

To quote this article about John the Ripper:

How you decide to use John is up to you. You may choose to run it on all the password hashes on your system regularly to get an idea of what proportion of your users' passwords are insecure. You could then consider how you could change your password policies to reduce that proportion (perhaps by increasing the minimum length.) You may prefer to contact users with weak passwords and ask them to change them. Or you may decide that the problem warrants some sort of user education program to help them select more secure passwords that they can remember without having to write them down.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    But if the institution runs a decent password hashing algorithm like bcrypt or PBKDF2 even this should not be practical - it would take too much processing power. Isn't that correct? Say if they check each password against 100,000 simple passwords, they'd struggle to do more than a few passwords each day under constant CPU load. – thomasrutter Mar 07 '19 at 23:55
  • 3
    @thomasrutter if all you're trying to do is skim the "simple" passwords off the top, the difference in cycles between DES and PBKDF2 isn't as massive as it is for a full brute force attack. Again, it's a self-defining issue; anything guessed _in that time_ that Admins had CPU enough to throw at is "crackable", which doesn't tell anyone anything meaningful about what lurks past that... This is a controversial method because it makes admins feel good and, sometimes, powerful; it does not always lead to measurable improvement in users' habits. – gowenfawr Mar 08 '19 at 02:22
  • 2
    @thomasrutter what would your expected time to validate a single password be in your case? Are you talking about a complexity setting which requires the whole machine for multiple seconds? Do you think that can be used in practize? (Let alone is there an actual user directory compatible with kerberos and/or AD which would use that?) – eckes Mar 08 '19 at 14:18
  • The algorithms are scalable so you can essentially choose the processing cycles that you want to be spent each time, I have in my head that usually you make it take a bit under a second to compute on an average single CPU, but these are mere ballparks and there are legitimate arguments to making it faster even by 10x or 100x. – thomasrutter Mar 18 '19 at 23:31
39

Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.

You give them your password as plaintext every time that you log on.

If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.

They can also check the password strength when you're logging in if they are using a single-sign-on service.

However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.

And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.

And while you're talking to the university's IT department, ask them about 2-factor authentication.

Ghedipunk
  • 5,766
  • 2
  • 23
  • 34
  • 34
    `You give them your password as plaintext every time that you log on` - Unless they extract this from memory from the host (which I would say is _highly_ unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits. – DKNUCKLES Mar 06 '19 at 00:15
  • 10
    @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.) – Loren Pechtel Mar 06 '19 at 01:13
  • 7
    @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited. – DKNUCKLES Mar 06 '19 at 01:17
  • 17
    @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak. – Loren Pechtel Mar 06 '19 at 01:27
  • 11
    If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in. – Gremlin Mar 06 '19 at 14:34
  • 4
    So we're assuming some convoluted conspiracy theory (if your computer is in a domain they could certainly install a keylogger that logs your password) instead of the obvious solution of running some password cracker tool over the hashes stored in the domain/database? Well.. sure they could go through all the effort, but it seems silly to make that the standard assumption. – Voo Mar 06 '19 at 14:54
  • @DKNUCKLES, thank you for your feedback. I've updated the answer to clarify that the most likely source of this type of access to the plaintext password is online apps where the site owner has access to the source code. – Ghedipunk Mar 06 '19 at 16:44
  • 1
    @LorenPechtel The OP's update makes it clear that it was retroactive, the password was an old one that they no longer use. – user3067860 Mar 06 '19 at 19:36
  • 1
    @user3067860 With that update it's very likely they have a security problem. – Loren Pechtel Mar 07 '19 at 03:41
  • 6
    I've upgraded a system storing MD5 passwords to a more secure method by intercepting passwords on login, as described in this answer. So the idea of intercepting the password as it is being used for login is neither novel nor unheard of. – dotancohen Mar 07 '19 at 15:15
  • 6
    @Voo It doesn't require a keylogger. The password is not converted to its final form on the client, but rather on the server. And many services allow configurable authentication modules, so you can swap out old authentication systems and swap new ones in. It would not be a big deal for someone who knows what they are doing to swap in a system which is a wrapper for the normal system which does something with the plaintext password before forwarding it on to the real authentication system. – Aaron Mar 07 '19 at 15:58
  • 1
    @Aaron I thought the hyperbole was clear. The point is: There are much easier ways to check for weak passwords that don't require you to change code and come up with some complex scheme for what constitutes a weak password and what doesn't. Some server stores the passwords already and the best way to check if the passwords are weak is to do exactly the same thing an attacker would also do. There are existing tools that do this with virtually no effort for standard systems and it's trivial to use them for your custom system if you have one. – Voo Mar 07 '19 at 16:01
  • In any case just to make it clear: Yes people could intercept all passwords including safe ones, which would be an absolutely awful practice. But this shouldn't be the default assumption imo. There are solutions that work without anything nefarious going on. Doing such password checks is standard procedure in high-risk environments and it's great that an university tries to teach their students about good password practices. – Voo Mar 07 '19 at 16:08
  • @Voo But you can't come in saying everyone needs to assume that what you describe is what is happening. That would be my first guess too, but 1) the question itself is asking about what is going on and if their password is compromised, so the whole point here is to discuss what is likely and what is possible, and 2) the first college I went to actually did (still might) store plaintext passwords and many employees had direct access to look them up - helpdesk often did for forgotten passwords and would tell people via phone. I know because I was later an employee and had access to it too. – Aaron Mar 07 '19 at 18:29
  • @Aaron Oh it's fine to mention the option (it is certainly possible, Knuth knows how many organisations have awful security practices), but the answer to me makes it sound all very nefarious and doesn't mention perfectly valid and safe alternatives. – Voo Mar 07 '19 at 18:33
  • @Voo You give people too much credit. ;) I was always taught to assume that all your users are nefarious (though maybe not good at it) and that whoever designed or developed software you rely on could have been an idiot. Of course, that was from a computer department perspective... of course, that would be a disaster for HR employees or upper management to take on that mentality. – Aaron Mar 07 '19 at 18:48
  • 1
    @Voo, I personally use the Pwned Passwords API when my users reset their passwords to let them know when it's compromised and they should stop re-using passwords... So yes, there are perfectly valid reasons. However, as the question has been updated, OP said they saw their old password, which means the university may not be storing _current_ passwords in plaintext, but they are definitely storing the compromised passwords in plaintext, which indicates incompetence on their part, so I stand by the "they're potentially nefarious/incompetent" insinuation in my answer. – Ghedipunk Mar 07 '19 at 18:55
  • Facebook does exactly what this answer describes. – Navin Mar 09 '19 at 00:48
20

There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.

Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.

While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
4

The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it

FYI - no it does not. It depends on the words and their number. Having a few random dictionary words glued together is actually a very good password.

I should have of course linked to the relevant xkcd.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • 3
    The emphasis is on *random* and assuming a large enough word pool. If it was a grammatically valid SVO sentence the entropy decreases drastically. – Voo Mar 07 '19 at 16:12
  • @Voo: yes of course, this is the whole problem of choosing a good password, which is not "password" or "correchorsebatterystaple". Now, a valid sentence is not a problem in itself, except if your password generation scheme is known (= the attacker knows that you will be building correct noun-verb-adverb sentences). *Ifindmystackoverflowanswersbrilliant* is a great password. – WoJ Mar 07 '19 at 16:18
  • 1
    The attacker doesn't have to *know* it though, they can just try common patterns that see you see again and again. And if you look at common password leaks you'll see that most people who use sentences will use grammatically correct sentences in very specific formats. See e.g. [this paper](http://www.jbonneau.com/doc/BS12-USEC-passphrase_linguistics.pdf) that shows how this can be exploited. So while "Ifindmystackoverflowanswersbrilliant" is probably still more than good enough, the math shown in the xkcd comic does **not** apply to it - the entropy is much weaker. – Voo Mar 07 '19 at 16:25
  • @Voo You can get a bunch of the entropy back by applying a caesar cipher to your phrase though and have it still be relatively easy to remember and type. – Perkins Mar 07 '19 at 18:28
  • 1
    @WoJ except [now that you've posted it on the internet](https://security.stackexchange.com/questions/201210/why-is-gbt3fc79zmmefufj-a-weak-password), it no longer is. – TemporalWolf Mar 08 '19 at 23:34
0

If your university has 2,000 students with 2,000 passwords, they can use a single computer to run a password cracker for 5 minutes for each password every week. If they are able to crack your password then it was weak. If they were not able to crack it then it was at least not unreasonably weak.

Actually, they don't have to try to crack all the passwords, only the new ones, and spend some more time on old uncracked ones. So if there are 200 changed passwords a week, they could spend some more time on the uncracked ones, and say 25 minutes instead of 5 minutes on the new ones.

gnasher729
  • 1,823
  • 10
  • 14
-9

Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 7
    I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption". – Captain Man Mar 06 '19 at 18:23
  • 5
    1: Define *'"security band compliance'*. 2: *"various technical algorithms"* has no meaning. 3: Hint; You can delete your question. – zaph Mar 07 '19 at 01:49
  • 3
    "Passwords are not stored in plain text" That is not true. The first college that I attended did store plain text passwords. In fact, when calling their helpdesk, the support person could (and some of them did) verbally tell you what your forgotten password was since helpdesk employees (and many others) had direct access to the plaintext passwords. I know that it was still that way up until at least a few years ago. – Aaron Mar 07 '19 at 17:00
  • 1
    @Aaron On top of that, *tons* of public sites and services store passwords as plaintext still, in 2019. It's far more common than this answer suggests. – user91988 Mar 07 '19 at 17:14
  • 2
    From context, I think Atul meant "Passwords should not be stored in plain text" – schroeder Mar 08 '19 at 07:58
  • To clarify just want to add that as a good practice password and any sensitive information should never be stored in plan text.However I have seen many cases where this happen just because people who is designing and developing do not care or aware of problems it could lead to.As part of security and audit finding this is much bigger issue and whole application or product can land into issue.Many country has different data protection laws which clearly see this as a bigger problem. – Atul Kumar Mar 08 '19 at 08:11
  • @AtulKumar Just because a law forbids something, it doesn't mean it doesn't happen. You also didn't answer the question. – Ruben_NL Mar 11 '19 at 18:36