How to more securely sign in to an account using a password that is shared across several services?

March 7, 2014

When signing in to iMessage, your phone sends the AppleID and password in the clear over a secure channel to Apple's directory service (IDS). This shouldn't be an issue, except that the channel is secured using TLS (which has some issues lately, especially on iOS). As a result, it is easy to mount a man-in-the-middle attack, allowing an attacker to retrieve the password.

The problem is that the AppleID not only gives access to iMessage, but also to iCloud, the app store, and iTunes. We see that by being able to attack one service (iMessage) and retrieving the account name and password, the attacker is able to access all related services as well. This is a common threat, that potentially hits other larger service providers as well. In fact it occurs whenever a single account gives access to different services. Clearly this is undesirable.

So what can be done? Obviously, any simple hashing of the password before sending it to the server will not help. Instead of the passwords, the hash of the password becomes the 'access token' with which the attacker gains access to all related services.

What would help though is to mix the password and the name of the sub-service, and hash that result before sending it to the server. This value is now a service specific password, and useless for logging in to another subservice. In effect, each subservice is using a different password, that is derived from a single user password. For the user this is all transparent: he only needs to remember one password.

Probably worth remembering next time you implement several services for which you want to share accounts.

Coming to think of it, I think it is advisable to use this trick every time passwords are used to sign in. People have the tendency to re-use passwords. If every sign-in dialog would first mix the name of the service (for example the domain name of the server) with the password and then hash it before sending it to the server, a compromise of one website would not necessarily give the attacker access to a lot of other websites on which you use the same password.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Securely using a single master password on all sites you visit. // Jaap-Henk Hoepman
, 2014-04-21 11:21:37

[…] reuse passwords. This is not secure. But people do it anyway. So, can we make it more secure? Yes we can! In fact you can securely sign in with a single master password on all sites you visit. Plugins like […]