How Three Rings Protects Your Passwords

Posted on

You may have seen recent revelations about hackers stealing thousands of passwords from users of LinkedIn, eHarmony, and LastFM.

If you’ve got an account on any of those systems, you can check if your password was one of the ones stolen using an automatic tool for the purpose (either LinkedIn checker, eHarmony checker, or LastFM Checker, depending on the website).

We’re always in favour of erring on the side of caution for this sort of thing, so we’d recommend that any user of these services changes their password anyway, and if you use the same password on other sites, you should change those as well.

Of course, you should use a different password for every website you log in to (and there exist some great free tools, like LastPass, KeePass, and SuperGenPass, to help you to do this), but we know that not everybody does this. That’s why it’s so very important that web services like Three Rings store your passwords in a way that can’t be easily compromised.

Any website that lets users create an account is going to try to keep people without accounts out. There are a lot of defences against hostile attacks from non-users (Three Rings uses lots of different ones!). But, just like there’s always a risk a burglar will get into a house despite locked doors and burglar alarms, there’s always a slight risk that someone might break through and steal details of people’s passwords – that’s what’s happened to those three websites over the past few days.

Because there’s always the risk that will happen, it’s very important to do two things: firstly, to keep checking your website protection is the best it can be (this is a bit like making sure the burglar alarm works and you haven’t left any windows open anywhere). Secondly, it’s important to secure important data like passwords (just as you could put jewlery in a safe inside the house).

In fact, Three Rings encrypts the data it moves about, but in view of the recent password-stealing attacks against other websites, we thought we’d better re-assure you that passwords kept by Three Rings are safe. Things are about to get a little technical – not too much, but if you’d rather skip the nitty-gritty details, just scroll down to the section marked ‘So what does that mean?’.

Comparison of password storage methods

This table summarises the password protection strategies employed by the recently hacked services, and by Three Rings:

LinkedIneHarmonyLastFMThree Rings
Encryption (hashing) used:SHA-1
Good
(okay)		MD5
Bad
(weak)		MD5
Bad
(weak)		SHA-512
Good
(good; and “BCrypt” upgrade planned)
Salting used?
(more info)		No
(passwords can be cracked in bulk: LinkedIn have announced that they’ll fix this)		No
(passwords can be cracked in bulk)		No
(passwords can be cracked in bulk)		Yes
(passwords cannot be cracked in bulk)
Password restrictions:Yes
Okay
6 characters		No
Weak
5 characters		No
Very Weak
no limits		Yes
Strong
8 characters; must include 2 classes of characters
Two-factor authentication:NoNot available
(unless using Facebook authentication)		NoNot availableNoNot available
(unless using Facebook authentication)		Coming soon!
We’re already rolling out two-factor authentication to our administrators, and we’ll be making it available to your volunteers in the future.

Some technical explanations

To help you understand that table, let’s look at what some of the things in the column on the left mean.

‘Password restrictions’ is pretty simple: the more restrictions there are on a password, the better the password is. (Letting someone use a password that’s only six characters long isn’t as secure as making them use a password that’s twelve characters long, for example). So websites with more complicated password restrictions are offering a bit more security.

‘Two-factor authentication’ means that you need to log in by providing a password and a second code. The password stays the same, but the code changes. That means that even if someone managed to get your password, they couldn’t log in as you without guessing the secret code. It’s like having a PIN on your bank card: even if you lose your card, whoever finds it can’t use the card, because they don’t know your PIN. (Which is why you should never write your PIN down on the card!)

The only difference is that two-factor authentication online changes the code more often than most people change their PIN, typically by using a special machine that generates a code that’s valid for one minute. To log in using two-factor authentication, you give your password and, when the system asks, you enter the code shown on the little machine. As part of our continuing review of Three Rings security proceedures, we’re investigating the possibility of letting people use two-factor authentication on our system. We wouldn’t force you to, of course, but we’d make the option available for people who wanted that extra security.

‘Encryption’ is slightly more complicated. What happens when you enter a password is that the server – the special computer the website is running on – checks its list of passwords to make sure that you entered the right password for your username. Just in case a hacker manages to steal the file with everyone’s password in, most servers encrypt the password file.

A password stored in ‘plain text’ looks the same in the password file as it would when you typed it in. So if someone gets a password file that says ‘David’s password is QVd0t10W’, they can log in as David. An encrypted password gets scrambled up, so instead of saying ‘QVd0t10W’ it says something like ‘David’s password is 72c6d96ee597b92febbf596ab2c541a457c4baea’. Even if someone types all that in, they still won’t be able to log in!

There are different ways, or ‘algorithms’, to encrypt passwords. The more complicated the algorithm, the harder it is to use a computer to ‘brute force’ an encrypted password back into plain text.

  • The MD5 algorithm is pretty old (it was invented in 1991), and it’s known to be flawed. You can still use it, but things encrypted with MD5 aren’t secure – too many people know how to break it!
  • Another algorithm is SHA1. That was invented in 1993, and there are a few problems with it. It’s not as bad as MD5, but there are weaknesses that mean it’s not as hard to decrypt as it was intended to be.
  • Three Rings is using a third type of algorithm, SHA512 (sometimes called SHA2). That’s only from 2001 and – so far – there aren’t any known weaknesses with it. It’s the most secure of the three (which is why we use it!), but we’re investigating a change to the even-more-secure BCrypt standard in the future.

The key thing to remember here is that algorithm doesn’t change the password you type. It just makes sure that the copy of the password that’s kept on the server is scrambled up enough so that nobody could tell what your password is, even if they broke through all the other defences on Three Rings and snuck a look at the password file.

‘Salting’  is an extra security function that goes on top of the password encryption. Salting adds a bit of random data to the encrypted password, which makes it even harder to brute force a password back to plain text. (This effect “stacks up” on top of the algorithm, so a password salted and encrypted with a strong algorithm is safer than a password encrypted with a strong algorithm but not salted, and so on down the chain.)

If anyone did steal a file full of passwords, and the passwords were salted, they couldn’t just set a computer to try and brute force every password – because of the random data added on to each password, they’d have to break every single password one by one. A side effect of salting is that no two passwords will ever be encrypted the same way (even if they’re the same when they’re in plain text), and it means none of us here at Three Rings can work out what your password is.

So what does that mean?

In short, Three Rings takes the security of your passwords as seriously as it treats the rest of the data you entrust to it. We do everything we can to defend against hackers, of course, but we also make sure that your passwords are secured by encrypting them (with a ‘salt’ of random data, to add even more security), and we’re constantly looking at ways we can improve on the security we already offer.

We’re not trying to show off, here, but we do know some of our users are concerned, and we wanted to put your minds at rest: Three Rings’ data is being kept securely and safely.

Computer security isn’t simple, and to get it right takes careful planning and a detailed understanding of the technologies involved, as well as continuous assessment and auditing to make sure the system stays protected as new threats develop. But that’s something that we take very seriously, and we’re confident that the kinds of attacks used to reverse-engineer passwords on these three sites could not be used against Three Rings.