Has your password been leaked?! Website leaks!!

   If you haven't read our previous post related to password leaks. You must go and check it out. Click Here

Website Leaks:

     

For the reasons above, site leaks are bad, but not too bad. If the password is complex, the hash algorithm is safe to use salt (see below), so hackers may not get many passwords from the database dump. Therefore, even if your Facebook database leaks, your password is most likely to be safe. Unfortunately, probably 0.1% probability of password is dropped, if you are very loose it is not usable. Therefore, after a DB vulnerability, on the site, in many cases, all users need to change their passwords (dropbox leak, link in leak, my space leak, etc.). Also, since you may use the same password for different websites, it is important to change your password at any time. This is not even the worst part. Some sites do not hash the password and do not save it as plain text. If the database is compromised, the hacker can access millions of accounts on the site and use the same e-mail / user name and password combination to directly access 10 million accounts from other sites. For example, the 000webhost database has a plaintext password, which is leaked. I personally hosted a website on which my account was compromised.

But this is not yet the worst part. Hackers often publish databases. The representative needs to inform the site that the security of the site is poor and inform the customer of the leakage and change of the password. Hackers tend to expose databases after enough time has elapsed to provide site behavior. To see this degree, see the example of 000 Webbost. The first search result to provide a "000webhost leak" database, you can download and display the password. I used the password 3 to 4 years ago in the database. There is a possibility that this password may remain in part of the site registered three or four years ago, but since I have not logged in since, I have not updated the password.

Problem 1:

Suppose there's an hashing scheme X. Under that scheme, "pass" becomes d@A2qAawqq21109. Now this is a very secure scheme and every website uses it. Now, there'a guy who has a lot of computational power and  he computes the hashes of all possible letter combinations under the scheme X. Now, given a hashed value, he can simply lookup/search his table and see what password does it correspond to. He makes this table of word to hash available online. Now, it's quite easy to get the passwords from a database dump. 

Problem 2:

Alternatively, even if the scheme isn't common, what one can do is that he can take a common password, say "password", then hash it, and then search all the users in the 100 million users password dump and see if any hash matches. If it does, then that means that the given user has the password "password". By using 1 million common password, he'll probably get 10% of the users password among the 100 million users.

Solution: Hashing Salt

To prevent this, each user selects a password and gives a random string of hash salts. The hash function is valid for both password and salt. Therefore, if two users have the same password and the salt is different, they will have different hashes. This overrides the above technical / problem. Well, to get the correct hash, the hacker needs to enter the correct password and the correct salt of the hash function. This means:

1. Resolving the first question of another person who pre-computes the password hash table. This is because we need to use a password hash table (a combination of each password and each salt, what is a hash). There are too many possible combinations. If there are 10 million potential passwords and 10 million potential salts, there are 1 million combinations (even if I do not know millions). If there are ten commonly used salt, you can make a table. Here, all 10 million passwords are a hash of 10 salts. Or you can arrange the most commonly used 10 passwords with 100,000 possible hash values. Therefore, it is important to have a strong password and random salt.

2. The second question is also resolved. Because it is necessary to use a table of each salt in order to solve a common password hash (only in the table, it is not necessary to do with all 10 million combinations). Again, do not use a simple generic password such as "password", "Hello" will solve this problem.

Weak Salts?!

One disadvantage of hash is that salt is weak. Although WPA / WPA-2 is very powerful, routers that use the default SSID ("linksys", "netgear", etc.) because the SSID of the network is used as a salt are the most commonly used passwords It is more susceptible to other routers due to. The most common SSID hash value. In other words, I would like to repeat that WPA / WPA - 2 is still safe, I will put this as a related example just.

 If you find this post helpful then share, comment and like us on Facebook Click Here :)