New Password Crack Could Affect Millions: Report

Two security researchers say they've managed to prove a long-standing theory about how hackers breach online security. It involves taking advantage of a split-second quirk in the verification of online processing. The exploit could affect millions of online users, as it involves two login schemes which have been widely adopted by large corporate sites. (Source: computerworld.com)

Timing Attack is Key to Exploit

The technique in question is known as a timing attack. It works on the basis that some password-protected systems will automatically reject an incorrect password as soon as it finds a single incorrect character rather than continue checking the whole password.

This means a password which has the first character wrong will be rejected faster than one which has the first character correct and the second character wrong. A hacker guessing passwords at random could soon figure out when they had the first character correct and then concentrate on getting the second character correct, and so on.

This drastically reduces the number of combinations and time it takes to crack a password.

Network Jitters No Longer An Issue

Researchers Nate Lawson and Taylor Nelson say they've managed to repeatedly succeed in launching a timing attack. They told the IDG news service that the biggest step in doing so was developing an algorithm (a method) which filters out the way network connection speeds vary from moment to moment. Without these steps, it would be difficult to reliably time the response from a password verification system. (Source: infoworld.com)

The timing attack only works on systems that reject the password immediately upon finding an incorrect character. Lawson and Nelson have told informed system developers and have promised not to reveal their details until a fix is in place, which they say simply means tweaking the system to take the same time to respond to every password attempt.

OAuth and OpenID Systems Affected

It has been reported that the systems affected include those used by the OAuth and OpenID schemes, by which a single login and password are used on one web site in order to gain access on other, multiple web sites. Many major names are involved in the scheme, including Google, Yahoo, Facebook and AOL. (Source: openid.net)