Can you keep a secret?

Explore

Breaching Simple Security

I did tell you it wasn't secure, right? 🤔

Complexity, an illusion of security

In encryption, complexity can give us a false sense of security. In the previous example, I mentioned the possibility of patterns emerging from the technique, but I’m sure when you looked at the encrypted text, those patterns were not at all obvious, so perhaps you didn’t feel like there was anything to be concerned about.

The effort required to crack those patterns looks like the realm of savant mathematicians and quantum computing geniuses. And didn’t you read somewhere that your clever 8-digit Pa$$W0Rd would take like 1000 years to crack??

I feel it’s important to help give an accurate sense of how flimsy security can be that perhaps at first glance looked secure.

Oftentimes we hear about the massive computing resources needed to churn through billions of possible password combinations and that makes us feel secure, however we mustn’t forget the enormous role that the “human element” contributes towards reducing security.

⁠

With the previous demo, if a user’s Password was shorter than their Secret, we repeated the password’s characters until we had enough to pair with the characters in their Secret. For long secrets, the password could be repeated many times, creating patterns which when paired with the predictability of human behavior, opens up an enormous vulnerability.

⁠

Let’s switch hats for a moment, and start to think like a hacker

⁠

Kristina Flour⁠

Unsplash⁠

⁠

In cybersecurity, we know that it’s very important not to divulge your password. What may be unclear is that with Simple Security, it’s just as important to not divulge the Secret itself. Even a small part of it.

⁠

For each character:

Secret

+ Password

= Encrypted

Remember how we generated the encrypted text?

First we converted the Secret and the Password into arrays of numbers based on each character’s Index in

Character Mapping⁠

Next, we added each pair of numbers together, creating an array of Summed numbers.

Finally, we converted the Summed numbers back into characters to produce the final, encrypted Ciphertext.

⁠

What if, instead of guessing the Password, we tried to guess the Secret?

For each character:

Encrypted

- Secret

= Password

Let’s think about how that’d work

The opposite of an addition is a subtraction, so let’s see what happens if we were to reverse the above calculations, starting with the encrypted text because as a hacker that’s all that’s available to us in this doc.

Let’s take the encrypted Ciphertext and break it up into characters.

Next, let’s guess the Secret, break it up into characters

Convert both into numbers, and subtract the Secret from the Encrypted Text.

We’d end up with the user’s Password!

⁠

Step By Step Guide

Let’s run through that in a bit more detail, and see how we go.

Step #1. Let’s make an educated guess...

⁠

Encrypted Text. GdQ[>(3Q!p/??5NZN>0\edi>\+ap8@],=~ju}-/cs

Guessed Secret. Username

(we'll focus on the orange text with the same number of chars as the word "Username" which we expect is the start of the user's Secret text)

Use these to walk through the steps 👇

⁠

Step 1

⁠

Let’s look at one of the secrets from

Simple Security⁠

, saved as “Netflix Logins”.

If we put ourselves into our target’s shoes, let’s think what kind of info they’d store in an entry they’ve titled “Netflix Logins”. An educated guess would be that their secret could start with the word Username.

It’s just a guess, but considering we know they’ve stored account login information, it’s at least a good place to start. If this didn’t work out, we could try Email or Netflix or Account and we’d probably get lucky pretty quickly.

1 of 1

⁠

Well that’s not ideal...

As you can see, even though the final ciphertext looked like total gibberish, using the password as the encryption key is a surefire way to get your information compromised.

I have a few ideas about how we can strengthen the security, so our next demo will run through those.

⁠

Strong Security This solution significantly improves on security strength.⁠

Gallery

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.