Internet passwords less safe

Internet passwords are becoming less safe. As crackers are finding out that encryption methods, such as SHA-1 and MD5 have both been cracked using mathematical expressions. Unfortunately, a far worse thing is happening now, this process is being reversed.

The MD5 algorithm is a commonly used method for storing passwords on Internet databases. Almost every time you register on a properly trustworthy website, and when you sign up to services such as phpBB forums and WordPress, the password is encrypted on the database.

How password encryption works
When you sign up on a web page using database password encryption the password you enter in the registration field is converted automatically using an encryption algorithm, such as MD5. For example, if you registered on such a web site, with the password password what would be put into the database would be it’s MD5 converted string, in this case 5f4dcc3b5aa765d61d8327deb882cf99.

Graphical explanation of registration and logins on a web page with encryption.

One or two years ago this would have taken a huge amount of time to crack, because the user would have to have a computer that attempts to convert this string back, listing possible passwords by comparing the passwords with a dictionary, leaving good upper- and lowercase passwords with numbers fairly safe.

To crack such a password, you do still need to either be the administrator of the server to see the MD5 value in the database or you must crack the MySQL database and access it somehow. This is often not very hard because novice web developers and administrators sometimes don’t have the skill, or do not find it important to make sure their website is secure.

Cracks available for anyone
Now the process has been reversed. Certain Internet users are now offering people access to tables which contain MD5 strings, for passwords up to 14 characters. This takes a huge amount of time to do, but once it’s ready (now) getting passwords from just knowing the MD5 hash takes as long as it takes for the server to search for this string in its tables, which is usually not very long.

Online MD5 crackers:

To make these tables, all they have to do is to take strings and turn them into MD5 hashes and make it into a table. So, for example, they begin converting one character, starting with a into an MD5 hash, then b, then c and so they complete the alphabet and digits from 0-9 and start with two characters; aa, ab, ac. The worst thing is that RainbowCrack allows users to do this themselves, at home; make their own tables and search them for much faster results.

It is also worth mentioning that Windows XP passwords can be cracked using a similar way.

Can be prevented
For people who use the same password on all websites, this could be a huge problem, for example if only one of them gets cracked, the cracker might have access to all of your accounts. This is why I suggest that you use a few passwords, one for secure websites that you must not lose (bank account, PayPal etc.), one for your e-mail account (if it gets cracked it’s easy to take over accounts by resetting the password) and one for forums and communication where you haven’t got much to lose if something happens.

I wish you happy and secure Internet surfing, and I hope that this knowledge will help you protect yourself better on the Internet.

Auglýsingar
Skrifað í Security. 5 Comments »

5 svör to “Internet passwords less safe”

  1. MageDealer Says:

    Forum and site admins should use more secure methods (like salted hashes) to realy protect their databases.
    Users that use same password at all websites – are 40-60% of all users. It’s the weekest chain in every system. And security specialists have to do something with this situation…

  2. Fred McJohn Says:

    Well, yes, there’s a lot to what you’re saying. I recently had to decide which forum software one of the webs that I administer was going to use for our forums, and the security of my users is of the utmost importance. Our website being badly designed or having poor content won’t damage our users as much as if their passwords get revealed to unscrupulous parties.

    Unfortunately, security doesn’t seem very important for most people, so I feel it is my duty, as a webmaster I also feel I am obligated to address such issues, because only if I know better than one of the users on our website I can possibly delay or decreas the chances of a user’s creditentials getting disclosed to a person with illegal activities in mind.

    What I wonder about these MD5 public websites is if they are trying to bring this matter into people’s attention. Crackers already have access to such time, maybe them offering these services will show security enthusiasts that this matter needs to be addressed and solved.

    Salted passwords are an excellent solution, that’s why I chose the MyBB forum software. Similarly to what Steve Gibson told me about WPA („WPA mixes in the access point’s SSID, even
    identical encryption keys will generate completely different 256-bit
    results.“), this can be done with salted passwords and increase security a lot, making it impossible (or very time consuming) to pre-compute these hashes.

  3. MageDealer Says:

    There is a new version of http://passcracking.ru now online 😉
    md5, md5(md5), sha1, mysql passwords cracking… More than 15millions of passwords…

  4. benozor77 Says:

    Here my project:

    Online MD5 Reverser | Hash Cracker:
    http://ice.breaker.free.fr/

    Cordially,
    benozor77

  5. speed0ver Says:

    New service, the most complete MD5 RainbowTables.
    Dictionary attack on MD5 and SHA1 hashes.
    http://passcrack.spb.ru


Færðu inn athugasemd

Skráðu umbeðnar upplýsingar að neðan eða smelltu á smámynd til að skrá þig inn:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Breyta )

Twitter picture

You are commenting using your Twitter account. Log Out / Breyta )

Facebook photo

You are commenting using your Facebook account. Log Out / Breyta )

Google+ photo

You are commenting using your Google+ account. Log Out / Breyta )

Tengist við %s

%d bloggurum líkar þetta: