In encryption, complexity can give us a false sense of security. In the previous example, I mentioned the possibility of patterns emerging from the technique, but I’m sure when you looked at the encrypted text, those patterns were not at all obvious, so perhaps you didn’t feel like there was anything to be concerned about.
The effort required to crack those patterns looks like the realm of savant mathematicians and quantum computing geniuses. And didn’t you read somewhere that your clever 8-digit Pa$$W0Rd would take like 1000 years to crack??
I feel it’s important to help give an accurate sense of how flimsy security can be that perhaps at first glance looked secure.
Oftentimes we hear about the massive computing resources needed to churn through billions of possible password combinations and that makes us feel secure, however we mustn’t forget the enormous role that the “human element” contributes towards reducing security.
With the previous demo, if a user’s Password was shorter than their Secret, we repeated the password’s characters until we had enough to pair with the characters in their Secret.
For long secrets, the password could be repeated many times, creating patterns which when paired with the predictability of human behavior, opens up an enormous vulnerability.
Let’s switch hats for a moment, and start to think like a hacker
Next, we added each pair of numbers together, creating an array of Summed numbers.
Finally, we converted the Summed numbers back into characters to produce the final, encrypted Ciphertext.
What if, instead of guessing the Password, we tried to guess the Secret?
For each character:
Encrypted
- Secret
= Password
Let’s think about how that’d work
The opposite of an addition is a subtraction, so let’s see what happens if we were to reverse the above calculations, starting with the encrypted text because as a hacker that’s all that’s available to us in this doc.
Let’s take the encrypted Ciphertext and break it up into characters.
Next, let’s guess the Secret, break it up into characters
Convert both into numbers, and subtract the Secret from the Encrypted Text.
We’d end up with the user’s Password!
Step By Step Guide
Let’s run through that in a bit more detail, and see how we go.
If we put ourselves into our target’s shoes, let’s think what kind of info they’d store in an entry they’ve titled “Netflix Logins”. An educated guess would be that their secret could start with the word Username.
It’s just a guess, but considering we know they’ve stored account login information, it’s at least a good place to start. If this didn’t work out, we could try Email or Netflix or Account and we’d probably get lucky pretty quickly.
1 of 1
Well that’s not ideal...
As you can see, even though the final ciphertext looked like total gibberish, using the password as the encryption key is a surefire way to get your information compromised.
I have a few ideas about how we can strengthen the security, so our next demo will run through those.