The possible purpose is so obvious he decided to investigate further – and owns to being a little disappointed when he found what appeared to be encrypted user password hints. But something caught his eye. As an experienced malware analyst he is accustomed to the obfuscation methods of the baddies; and thought it looked a bit familiar. It turns out it was a technique he knew – but it wasn’t encryption.
He wrote a simple 8-line Ruby decoder and converted obfuscated numeric ASCII into the user’s plaintext password hint. Armed with hints like ‘favourite colour’, the probable password is reduced from billions or more to just a few dozen – a prime target for simple brute forcing. Since these hints can be easily extracted and decoded, he further concluded that the information would be valuable to penetration testers engaged in password auditing; so he arranged for his process to be added to the Metasploit pentesting tool. It now has been.
But Metasploit is a double-edged sword. Just as it is used by whitehats for security auditing, so it is used by blackhats for security exploiting. Access to hints together with increasingly effective brute forcing techniques provide a strong argument for moving to two-factor authentication rather than the single factor, frequently broken password method. Google and now Dropbox have already done so.
“If passwords just don’t do the job,” explained Andy Kemshall, technical director at SecurEnvoy, “then people have to turn to multi-factor authentication to help protect themselves. Unfortunately, as a growing number of users of online banking have discovered in recent years, it’s a real pain having to tote a hardware token around with you all the time, especially when you find that - when you really need to check your bank account – you don’t have the token with you,” he said.
Kemshall’s solution is to use the ubiquitous mobile phone to provide that tokenless second factor. “Even if hackers do gain access to a passphrase hint file – those online sessions defended by tokenless 2FA remain 100 per cent protected,” he explained.