Cracking Magento passwords for $1

TL;DR: Find weak passwords on your Magento stores before the bad guys do. If you spend some serious money ($1) on high-performance computing power, you can find easily guessable passwords. Here’s - step by step - how you can check your stores for vulnerable admin accounts.

A password guessing attack (aka “brute force”) has become the most successful attack vector recently. Hackers try zillions of passwords on authenticated pages ( /admin , /downloader , /rss ) until they hit the jackpot.

Now, you (the admin) can easily find weak passwords, because you have a major advantage over remote attackers: speed. Potential hackers test passwords over HTTP, which is relatively slow. With a botnet and fast servers, at best (worst) they can try a few hundred passwords per second per store. You, on the other hand, have direct database access. With the proper setup (read on!) you can test 4 billion passwords per second.

What is password hashing?

When big companies are hacked, they always say your password is safe because it was stored in an unreadable manner.

What they actually mean is that they stored a hash of your password. Hashing is a one-way algorithm to translate some data (your password) into a unique code. Say, you have password qwerty123 . The MD5 hash for this password is 3fc0a7acf087f549ac2b266baf94b8b1 . It is not possible to revert this. However, nothing stops you from hashing random passwords and see if they match 3fc0a7acf087f549ac2b266baf94b8b1 . You would only have to try enough combinations, starting with aaaaaaaa , then all the way to ZZZZZZZZ (and beyond).

The MD5 method is not a very safe hash, because it is unbelievably fast. A 5-year old PC can compute about 70 megahashes (MH) per second. And a juicy videocard can do 4500 MH per second.

Get the machinery in place

Magento 1 CE uses the fast MD5 hash to store admin passwords. To find weak ones, you need:

A hashing utility such as hashcat

A dictionary (such as those from Skullsecurity)

A cloud server optimized for machine learning, such as Amazon’s P2

A list of hashed Magento passwords

Amazon released their P2 GPU servers recently, to jump on the machine learning money wagon. P2 servers happen to be also really good at hashing. Equipped with Nvidia’s Tesla K80 cards, those servers are nothing but hash grinding beasts. The smallest P2 server is still pricey, but for $1, you may tame it for a whole hour.

Boot a p2.xlarge with Amazon EC2. Root disk 8GB is ok. Pick Ubuntu 16.04 AMI. Download keyfile (pem). Run these commands in terminal.

Extract hashes from your Magento stores

Almost ready to start cracking: you just need the password hashes. If you have magerun, you can do this (run on your Magento server):

n98-magerun db:query "select concat(username,':',password) from admin_user where is_active=1" | tail -n +3 | tee maghashes.txt

Now, maghashes.txt contains lines with username:hash:salt like this:

admin:90EFkDlbNgMIVq6oJZfXJ7XrifM4TI80:ToV9inml5MawidrOTCgcKvwSwn1xIApE backup:ep0NXnY2MeRI9JzXDHefnRdQDyNmhkH7:8M

Copy this file to your hash grinder and start the magic:

scp maghashes.txt ubuntu@<AWS-IP>:/data # back to your AWS terminal cd /data/hashcat ./hc -m20 --username -r rules/best64.rule ../maghashes.txt ../phpbb.txt

The One Dollar Challenge

Show all the guessed passwords:

./hc --show --username -m20 ../maghashes.txt

In practice, 10-15% of the admin passwords appears easily guesseable. This is more than I expected. Notable cases are test/test123 and admin/123. Magento 2 forces strong passwords by default, but for anyone still running M1, it’s a good idea to give your admin passwords a boost.

Bonus

Update 15:40: Magento 2 uses the somewhat safer SHA-256 hash, but it is still not as good as PHP’s native password_hash() . Tobias Zander proposed to change it in January 2015 but it hasn’t happened. The illustrious Daniel Sloof has made a Magento 2 module to use more secure hashing while retaining backwards compatibility.

It would be absolutely awesome if sombody could make a magerun plugin to check for the most common weak passwords (test123, welcome01, etc), so that testing takes 1 minute instead of 1 hour.

If you find it scary that password cracking is so easy: say bye bye to MD5! There are several ready to use replacements, made by Classylama and Fabian Blechschmidt, that implement safer algorithms. Why Magento1 still uses MD5 is beyond me. To demonstrate the speed difference, here is the benchmark for the Amazon P2 grinding rig running MD5 and PHP’s password_hash() (bcrypt/c10):

MD5 4,231,000 hashes/sec PHP’s password_hash() 53 hashes/sec