Internet passwords less safe

Internet passwords are becoming less safe. As crackers are finding out that encryption methods, such as SHA-1 and MD5 have both been cracked using mathematical expressions. Unfortunately, a far worse thing is happening now, this process is being reversed.

The MD5 algorithm is a commonly used method for storing passwords on Internet databases. Almost every time you register on a properly trustworthy website, and when you sign up to services such as phpBB forums and WordPress, the password is encrypted on the database.

How password encryption works
When you sign up on a web page using database password encryption the password you enter in the registration field is converted automatically using an encryption algorithm, such as MD5. For example, if you registered on such a web site, with the password password what would be put into the database would be it’s MD5 converted string, in this case 5f4dcc3b5aa765d61d8327deb882cf99.

Graphical explanation of registration and logins on a web page with encryption.

One or two years ago this would have taken a huge amount of time to crack, because the user would have to have a computer that attempts to convert this string back, listing possible passwords by comparing the passwords with a dictionary, leaving good upper- and lowercase passwords with numbers fairly safe.

To crack such a password, you do still need to either be the administrator of the server to see the MD5 value in the database or you must crack the MySQL database and access it somehow. This is often not very hard because novice web developers and administrators sometimes don’t have the skill, or do not find it important to make sure their website is secure.

Cracks available for anyone
Now the process has been reversed. Certain Internet users are now offering people access to tables which contain MD5 strings, for passwords up to 14 characters. This takes a huge amount of time to do, but once it’s ready (now) getting passwords from just knowing the MD5 hash takes as long as it takes for the server to search for this string in its tables, which is usually not very long.

Online MD5 crackers:

To make these tables, all they have to do is to take strings and turn them into MD5 hashes and make it into a table. So, for example, they begin converting one character, starting with a into an MD5 hash, then b, then c and so they complete the alphabet and digits from 0-9 and start with two characters; aa, ab, ac. The worst thing is that RainbowCrack allows users to do this themselves, at home; make their own tables and search them for much faster results.

It is also worth mentioning that Windows XP passwords can be cracked using a similar way.

Can be prevented
For people who use the same password on all websites, this could be a huge problem, for example if only one of them gets cracked, the cracker might have access to all of your accounts. This is why I suggest that you use a few passwords, one for secure websites that you must not lose (bank account, PayPal etc.), one for your e-mail account (if it gets cracked it’s easy to take over accounts by resetting the password) and one for forums and communication where you haven’t got much to lose if something happens.

I wish you happy and secure Internet surfing, and I hope that this knowledge will help you protect yourself better on the Internet.

Skrifað í Security. 5 Comments »