2

I'm not a cryptograhpy expert, I am a web developer trying to determine the origin of a Wordpress blog hack, and how likely it is that it was brute forced.

The administrator account username had been changed from the default "admin" and the password was, I believe, 8-10 characters comprising mixed case alphanumeric characters and symbols (the password has since been changed and extended in length).

Out of curiosity, I was looking at sites which supposedly estimate how long it would take to crack passwords. Supposedly:

Example Password: Vr%*zSR7mb

  • Length: 10 characters
  • Character Combinations: 77
  • Calculations Per Second: 4 billion
  • Possible Combinations: 7 quintillion

58 years to crack

But what does this mean in real world terms?

The site seemed to have been hacked by a rival company with a terrible website and poor English, which I would guess originates from Eastern Europe, Africa or Asia (basically, not even a real rival but someone attempting to make business in the same industry). All they did was post 2 entries of poorly written content promoting their own site.

If it takes 58 years to brute force the password, it's obviously not feasible that the password was hacked with a brute force according to that estimate.

  • How many calculations can one computer make?
  • What kind of computing power does the average hacker have access to?
  • How is a hacker able to leverage the use of multiple machines?

If a rival wanted to hack a website, how easy is it for someone with little experience to download and use tools to brute force a password? How easy is it to pay someone cheap money in a poorer country to perform the hack for you?

The bottom line here is I feel like a brute force attack on what is a fairly useless blog, in order to post fairly useless content which probably won't yield any return at all, is not very likely.

The problem is I don't know enough about the reality of brute force attacks, and how easy they are to perform. If it's something anyone can quickly and simply run, within a short amount of time, then it sounds possible that's what happened. Otherwise, I would like to be able to rule out a brute force attack and look at more likely options such as someone's machine being compromised with a key logger.

e-sushi
  • 17,891
  • 12
  • 83
  • 229
BadHorsie
  • 813
  • 1
  • 9
  • 11
  • 1
    This question is really far from cryptography, and I would consider it off-topic. But to give a short answer: Being "hacked" does not necessarily imply a bad password (it will most of the time, tho). It can also be, that the implementation of security measures is simply wrong or bugged (e.g. happens when people don't follow the rule: Never implement crypto yourself), passwords were saved in the clear at the provider, and that database got stolen, ... lots of possibilities. If you want to know what happened, try to verify everything and keep speculation to a minimum. – tylo Sep 07 '15 at 12:10
  • @tylo Which exchange would you recommend I move it to? – BadHorsie Sep 07 '15 at 13:02
  • "How many calculations can one computer make?" - look for benchmarks of modern CPUs and extrapolate this to server CPUs (like the Intel Xeon E7-8890v3) and consider that a single MB can take up to 8 of those beasts. What does the attack has access to? Probably AWS EC2 instances for $1k+, depending on the budget. More machines usually increase the speed linearly. – SEJPM Sep 07 '15 at 13:10
  • The question is rather verbose but basically amounts to "how feasible is a brute force attack on a 10-character WordPress password", which I think is on topic. However, the password generation process needs to be known for an accurate entropy estimation. – otus Sep 07 '15 at 13:32
  • @otus Wordpress apparently adds a unique salt generated on a per-site basis to the password and hashes it with 8 passes of MD5. – BadHorsie Sep 07 '15 at 14:01
  • @BadHorsie, some versions of WordPress and/or PHP also support bcrypt (much better) and variable iterations. You checked that yours uses 8 iterations of MD5? Also, by password generation process I mean how the password was chosen. If the password was uniformly random from e.g. 10 characters of printable ASCII, it's different from "random" key mashing or my pet's name encoded in a weird way. – otus Sep 07 '15 at 14:07
  • @BadHorsie The problem probably doesn't lie with the exchange, but with the oversight of security holes or corrupted computers (as you stated yourself, e.g. keyloggers). A recommendation here depends on what kind of website we're talking about: If it is about any kind of professional site/ business involving money, my advise is: Get an expert to analyze (and - if needed - fix) your setup. For security it's a really bad habit, that software developers think they can do anything themselves. – tylo Sep 07 '15 at 14:39
  • @otus The site is a default installation of WP which means it will be using the 8 x MD5 hashing. The passwords are generated completely at random and are considered strong in terms of the ASCII range used but perhaps weren't long enough at 8 characters, which I have doubled for the new password. – BadHorsie Sep 07 '15 at 15:46
  • @tylo It's just an unimportant blog for SEO purposes on a professional site. Honestly, paying a security consultant what is likely to be a disproportionally large amount of money for an audit on a small blog, is not a realistic expectation. As a software developer, I take your point and somewhat agree even, but the paranoia and expense of hiring security consultants for small websites is not necessary. Most software developers who are conscious of security and somewhat capable of understanding problems and solutions can take care of it to a degree that is acceptable for the business. – BadHorsie Sep 07 '15 at 15:52
  • @tylo FYI this is not my project really, I'm just trying to investigate the potential hack and see what the route of entry might have been. There is more to this story than I have included in the question anyway - for example, the MD recently gave blog access to an SEO agency, and the hack happened shortly after, so for all we know they have an infected machine or compromised the details. I would have no objection to the company paying for security audits but it's not realistic to expect them to do so. But I think there is a balance to be had between risk and real world usability. – BadHorsie Sep 07 '15 at 15:56
  • The question is more for me to be able to say with a strong degree of certainty to the boss that it wasn't a brute force attack anyway, and that we should look into the security and current condition of the computers used to access the blog recently, including those of the SEO agency. – BadHorsie Sep 07 '15 at 15:58

1 Answers1

4

If the password was 8-10 random characters with alphanumerics and some symbols, a lower bound estimate of the entropy would be something like 48 bits (eight random base 64 characters). Coupled with WordPress' weak 8-round MD5, that's just over 50 bits of security. Not terribly secure.

A low-resource attacker like you assume could maybe crack it in a couple of weeks. If they had nothing else to do with their computer. Or they could buy some cloud computing resources to tackle the job. According to this blog post, an Amazon GPU instance (from a couple of years ago) could calculate about two billion MD5 hashes per second. With eight instances you'd have the search space covered in 24 hours. And that costs maybe a hundred bucks if that. (You could also do it quicker with more instances without a significant cost increase.)

However, if you assumed the high end of 10 characters out of all printable ASCII (95 possibilities), you would have a 65 bit strong password. Which would cost more like ten million dollars to brute force. So the actual entropy is rather important. If the initial password wasn't generated with a random number generator, its entropy was probably much less than something like the site you linked would predict.

While it is possible, brute forcing the password sounds like one of the less likely ways a WordPress blog would be compromised. An unpatched vulnerability in WordPress itself, some plugin, PHP, the SQL database or some other software seems more likely. Or in the case or a shared host, even a privilege escalation from another account.

Community
  • 1
otus
  • 32,132
  • 5
  • 70
  • 165
  • Helpful answer, thanks. Could you explain how you roughly calculate the bits/entropy and estimate the time to brute force? The passwords can be assumed to be random of the full ASCII set. – BadHorsie Sep 07 '15 at 17:15
  • @BadHorsie, there are $s^l$ passwords of length $l$ from a character set of size $s$. Take the $\log_2$ of that to get bits of entropy. Time to brute force is just #passwords / (guesses per second). Guesses per second could be e.g. 1 billion/s for a single computer. (I would not assume anything like full ASCII, rather I'd always assume the worst.) – otus Sep 07 '15 at 17:23
  • For brute-force estimates: CloudCracker (by Moxie Marlinspike) is a FGPA service that can brute force a 56-bit DES key in 24 hours (worst case). 50 bits would be $2^{-6}$ of a day, which is approximately 22 minutes and 30 seconds. – Scott Arciszewski Nov 08 '15 at 00:58