security - Has my password been compromised?
2014-07
Wutnaut
I just tried to register an account at www.mysonicwall.com (irrelavent) and got this error message:
This password is publicly available in hacking/security forums and can be easily compromised. Please use a different password.
My password is a collection of randomized letters including capitals, a symbol, and a number. It will pass any password requirements, so this is solely an issue of exposure.
Does anyone know what hacking/security forums they check my password against? Can I search well-known password lists for my password? Most importantly, where should I go from here? Should I start resetting all my passwords?
EDIT: I've contacted customer support for the site and as it turns out, they're having an issue evaluating the strength of passwords. The whole experience has been a wake-up call for my password lifestyle, however, as I've been tweaking the same base password since the 3rd grade (I'm 26 now). I'll be employing KeePass from here on out and will leave the question open for others to learn from my scare. I'll mark the rainbow tables as an answer for now, and will mark another as the answer if it is more comprehensive or demonstrates a safe way to check if your password is floating around the net.
Keltari
Most likely they check the password against publicly known rainbow tables. If the password appears in one of them, they will not let you use it.
From Wikipedia:
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. It is a practical example of a space/time trade-off, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.
In short, a rainbow table is a database of common and uncommon passwords, converted into various hashes. By having the end result of a password hash, you dont have to use brute force to hack it.
Its likely your password, as random as you think it may be, is in one of the known rainbow tables. Check this website to see actual rainbow tables.
kamleshrao
A password protected (.xls) file created in Microsoft Office can be opened with Open Office.
How does Open Office recognize the Password created in MS Excel? Isn't this a security concern?
Similar thing happens between WinZip, WinRAR and 7-Zip.
Regards, Kamlesh
Col
So long as the various applications use the same password algorithm to create the password hash then there is no reason they shouldn't all work. The password itself is generally not stored in the file.
ChrisF
Presumably each of these applications has asked you for the password. If not then that would be a security concern.
The password is stored in the file in an encrypted form. The method of converting the plain text to the encrypted (or hashed) form is known and implemented in each of the applications. They then compare the encrypted strings and if they match let you open the file.
It should be very difficult, if not impossible, to take the encrpyted string and convert it back into the plain text password - so there is no security risk.
DrJekl
Generally speaking office encryption is easily breakable. There are several programs available to compute a password that matches the hash and therefor opens the file. Even though the computed password and actual password may not match, the hash is the same.