Australian researcher cracks Lion passwords!

[gunug]

A security specialist at the University of Adelaide named Patrick Dunstan has broken Lion passwords:

QUOTE

“So for all modern OS X platforms (Tiger, Leopard, Snow Leopard and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user … or at least it should be,” wrote Dunstan in his post. “It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data.”

http://delimiter.com.au/2011/09/26/aussie-...lion-passwords/

[Xairbusdriver]

As far as I know, the password "hash" data is only protected by the permissions of the file (who can access it) and the encryption method used to create the "hash." But having access to the "hash" is far from having access to the password. Of course, access is one less step toward "un-hashing" the data and determining the password and should be corrected/strengthened.

As I understand "hashing," and I haven't even looked up anything about it, the text to be encrypted is run through a bit of code that 'simply' converts each character and/or groups of characters into another character and or/group. The code may use bits of code so that it knows how to reverse the process and that may be stored in a different place, which adds a bit more security.

So, IMHO, this specialist hasn't "broken" any passwords, he's merely found the file that contains the password hash data. Most importantly, he has found that Lion (and maybe earlier versions) are not protecting that file as well as possible. Now, if he finds the actual hashing algorithm, he'll be more likely to reverse engineer it to find out what the actual passwords might be. It is not clear to me, however, if the work he is doing requires direct physical access to the hardware or if it is actually a software-based 'attack.' Once someone has physical access, of course, the majority of the hard work has been done. It might be easier to simply run some diagnostic software tools and read an unencrypted hard drive, which might even be removed from the computer, and gather any and every thing on it—who care's if there is a password?

As has been pointed out many places, security has many parts. Physical access being one of the most easy parts...for a business or government. About all we have for our home computers is the lock on the front door. The second major aspect of security is on a network. Again, most businesses/governments know how to handle that. Home computers are not so well protected because many people don't even consider the Internet as just another network. So we are only as protected as the OS builders and our own knowledge and behaviors are. If we click on links wilt-nilly and allow anything downloaded permission to run on our hardware, we shouldn't be surprised at losing our security. As we used to say about car accidents, "The most dangerous thing in a vehicle is the nut behind the wheel!" The modern corollary might be, "The weakest link in personal computer (and more and more of our devices are actually computers) security is the animal in front of the monitor!"

[Paddy]

Interesting. What the article John linked to doesn't include is to my mind, far more interesting.

http://www.infosecurity-magazine.com/view/...swords-cracked/

QUOTE

Although Dunstan says that the current crop of Mac password crackers - from the darker side of the internet, Infosecurity notes – do not support the SHA512 plus four-byte salt password hash structures seen on OS X Lion, he has created his own simple script in python, which he is offering for download.

“Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user”, he says

“So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

And voilà! You will be prompted to enter a new password without the need to authenticate.”

As a temporary measure to mitigate these attacks - before Apple releases a patch – Dunstan recommends users limit their standard access to the dscl utility using a `$ sudo chmod 100 /usr/bin/dscl' command.

Again - requires physical access to the Mac in question, and one hopes Apple will fix this quickly!

[Xairbusdriver]

I recall reading about the problem allowing just about anyone to reset the password, and that is absolutely a major problem that needs correcting...yesterday. But stories about hash file access does nothing to help either that problem or the PW changing one.

After looking into some hashing info, all of more concerned with it's use on web sites, I noted that most of these methods don't even store the actual password, just the hash. That's why the mention of 'dictionary' lookups. Basically, a hacker generates every possible but generally used password and can then compare that list with the hash file entries. "Salt" refers to another, usually computer generated and often random, word that is added to the password (often in different places rather than either end), before getting run through the 'hashing.' This further increases security, and the longer that 'salt' word, the better, of course.

I think Keychain stores the actual password along with any hash, however. That's one reason to use a different way of storing at least some passwords...if my suspicions are true.

Bottom line: Use strong passwords, as long as possible, including upper and lower-case letters, numbers and punctuation marks! Absolutely do not use 'dictionary' words, ever. Period!!