The above announcement originates from a web forum where users submit password hashes for cracking. Other users reply with recovered passwords. Recovering your own? well, why not. Recovering 100 million? A reasonable question would be: Where did you get those? It's about time to talk about ethics.I frequently visit forums and websites that discuss password cracking in many forms. Many people participates in such forums either out of personal interests, research or commercial purposes. I've become increasingly aware of users posting large amounts of password hashes, asking for help to crack them without any explanation about their origins, the purpose of posting & cracking them. NOTHING. There is no information available about the user either, happily hiding behind the "anonymity" the Internet provides them with.
At the #Passwords10 conference I got challenged after my talk to do a debate on password cracking ethics by Howard Smith of Oracle:
|(Howard Smith during his talk at #Passwords10)|
I think my presentation, previous blog posts as well as my guest blog post for Elcomsoft entitled "Why you should crack your passwords" clearly presents my point of view.
Howard's opinion, which was pretty opposite (correct me if I'm wrong Howard), is that there is no point in doing password cracking for research purposes, since we pretty much know that passwords haven't improved much during the last 10-15 years or so. People are still using simple passwords, they are still personally related, they are still easy to crack. If we still need to do it, we shouldn't have to actually display the found passwords, as this may violate privacy and the entire point of keeping passwords secret. Compare them "automagically" to a predefined set of rules, list those accounts that doesn't comply, and enforce a new password. Howard also said that one should question the legality of cracking password hashes with unknown origins, found on anonymous blog posts and shady forums on the Internet.
It's hard to disagree.
However; we do know that the bad guys are doing this. In fact, it seems to me as if there is an increasing trend in releasing large hash-only lists onto various web forums, asking other participants - even site owners - to participate freely in cracking those password hashes.
I'm afraid those participating are effectively becoming free password mules, aiding the bad guys in increasing the value of their stolen data. These data are of course obtained through illegal hacking activity against websites, compromising parts of, or entire user databases. By stealing user names and cracking their associated passwords, they suddenly have data with a monetary value attached to it in the black market.
Now here's a dilemma (back to Howard): As ... I don't know... password security professionals? can we aid in saving both users and service providers by monitoring such forums, by downloading such lists and try to identify their origins before the bad buys start selling the valuable data - informing the service provider about what we've found (under closed/responsible disclosure?) Or is that a job for the police or other government agencies to do?
We've seen cases before where service providers have no clue about being compromised long after their data has been put out on the Internet for sale by criminals. It will happen again. And again. And again.
The Gawker compromise also showed what could be a possible first; Chris Wysopal (CTO at Veracode, Twitter: @WeldPond) pointed out in a tweet that other service providers (Linkedin and others) used the list of compromised accounts (e-mail addresses) from Gawker to disable any of their own users with the same e-mail addresses. This just in case the users had broken one of the many laws of passwords: Never use the same password across multiple services. What Linkedin and others did, he saw as a possible new best practice. I fully agree to that!
So here we are, with a discussion that has been going on "forever", and it doesn't really have an ending either: ethics. At the same time password mules are unknowingly (or wittingly?) helping criminals increase the value of their stolen data, creating even more damage to providers as well as end-users. What next?
I'll end this blog post by quoting "Barsmonster", or Michail Svarychevski as he's named in real life, when he were asked why he quit developing his GPU based tool for high-performance password cracking at his own forum:
"The complexity & danger - is due to risks to help someone to violate the laws, especially if you do this for money - you may be liable."
My definition of Password mule:
A person that willingly or unknowingly aids in cracking passwords obtained through illegal or questionable actions, and where the purpose is to increase the criminal monetary value of the data obtained.