SureshJoshi.com ▼

20 Minutes to Hack KLM


2013-05-07

Being an avid follower of all blogs technological, I read about this hacked website or that hacked website almost daily (so much for website security, eh?). In light of this, a few weeks ago, I finally tackled a small project that’s been sitting in my bucket list for far too long. I changed all of my passwords so that each site has a unique password. This was… enlightening… to say the least.

I can’t really say that I’m a hacker’s primary target by any stretch, but when I read about companies storing passwords in plain-text, or reputable websites getting hacked and then intense Russians decrypting passwords and posting them online… Well, that makes me slightly more concerned.

At the end of the day, no one is trying to hack YOU, but that doesn’t mean your information can’t be made available through some other means.

What I did and how I did it

Quite simply, I went through every website that I use via entering a password, and changed the password to some locally unique, random gibberish.

As it turned out, I changed some 40 or so passwords… That was interesting enough, as I don’t know how I managed to accumulate logins for that many websites (I usually use a one-time login/password generator for sites I have no interest in returning to). All-in, it took about an hour. I had my process pretty streamlined by the end.

Password generation or management isn’t an issue, as I use KeePass on my Windows machines and KeePassX on my Mac (I like that KeePassX is cross-platform, but I really don’t think it’s up to where KeePass is from a usability point of view).

To keep everything in sync, I keep my KeePass database file sitting in my DropBox, so I can sync between computers without any hassle.

Finally, if the site has two-factor authentication, I always enable it.

What I discovered

Writing a post detailing the process of changing my passwords would be somewhat pointless… And I wish that I didn’t feel the need to write this post, but during this boring password-changing process, I ran across a website with the WORST password security I’ve ever seen. It is so bad that I actually felt compelled to immediately email some friends to tell them about it… Even worse, I felt compelled to email the company and explain to them how bad it really was… And I did both!

Before I get to that, some light-hearted password humour.

My letter to friends

Subject: Website security fail

I just ran across a website with the worst password security I’ve ever seen. I actually need to tell people about this, that’s how bad it is…

So, because I’ve been meaning to do it for a long time, I’ve been changing all of my passwords, so that each login has a unique password. I use KeePass, so it’s not an issue maintaining them.

Typically, I just generate a password with > 100 bits of entropy, and put that in. This works out to auto-generated 20-character passwords with alphanumerics and special characters…

Any website with even a quarter-competent development team can handle these, no prob. I’ve run into 5-6 sites so far where they force me to abandon special characters and stick with alphanumerics. Okay, fine, whatever.

Of the 40 sites with passwords I have, the 3 worst offenders are all airline rewards companies. Specifically, Aeroplan, BA, and… KLM…

Oh boy KLM.

KLM’s password scheme: Your password MUST be 4, 5, or 6 NUMBERS…. …. No letters, no special characters, just numbers. Meaning, there are around 1,110,000 possible password combinations among all of their customers. AND, their website asks you to store your credit card details for faster bookings!

If I was a hacker, I would have e-********* this site by now…

My letter to KLM (not responded to)

Hello,

I was just going through all my personal passwords to change them, and I noticed that of the 40 website passwords I needed to change, the one for KLM was the most limiting and had the lowest security.

4-6 numeric digits only gives about 1,110,000 possible passwords, which is -incredibly- limiting. This website (https://www.grc.com/haystack.htm) suggests that it would take approximately 20 minutes to brute force into an account.

I was wondering whether this HUGE security flaw would be corrected any time soon?

Thanks! -SJ

Footnote

As I mentioned, BA and Aeroplan took the other spots in the top 3 of poor password security. I guess that I’m even more critical of these companies because they hold personal information, as well as credit card details, whereas some random forum with weak security doesn’t contain much sensitive information.

Aeroplan:

  1. Password length between 6 to 10 characters long
  2. Can only use numbers or letters in any combination (no special characters or accents)
  3. Cannot use your Aeroplan Number or previous password [this is a good one]

British Airways:

  1. Can only use alphanumeric characters
  2. Has a length limitation (between 21 and 32 characters somewhere) [from a development perspective, I can’t understand where this limitation came from]

Update (Nov 2016)

It’s been 3.5 years since I wrote this post, and I decided to take another look at those 3 websites I mentioned to see if they have done anything to improve their password security.

Sadly, but not surprisingly, British Airways and Aeroplan have kept their password requirements the same (although, the error messages have become worse - they don’t really tell you why the passwords are being rejected - just repeat the same error over and over).

I was (unpleasantly) surprised by KLM though. I thought they couldn’t get any worse than 4, 5, or 6 numbers as your password. …. I was wrong.

KLM has REDUCED their maximum password length from 6 numbers to 4 numbers… … … Yep, that’s right. You can ONLY have a password of 4 numbers now. That means when I went to update my password, my previous password with 6 numbers was wayyy too long for the new requirements…

Using https://www.grc.com/haystack.htm as a benchmark again, we’ve reduced the brute force space from 1,110,000 possible permutations to about 10,000.