| Passwords Posted by: John in Untagged on Aug 18, 2008 |
Passwords are our digital fingerprints. Shouldn't they be as secure as we want them? Apparently some websites don't think so.
How are our passwords stored?
Most websites store users passwords as an md5 (message digest 5) hash. Essentially, your plain text password is passed through a function that hashes your password. That hash is stored in the websites database. Since md5 is a one way hashing algorithm (there is no way to convert the md5 hash in the database back to your plain text password), password validation is done by comparing an md5 input and the md5 stored in the database. If the two match, you have successfully logged in.
In PHP, a basic authentication system might look similar to the following:
Even though this method has been the main stream method of storing passwords for years, the md5 hash has not been reversed. However, crackers have created whats called “rainbow tables.”
What are rainbow tables?
Rainbow tables are essentially a large database that contains plain text passwords and its corresponding md5 hash. If a cracker performs an SQL injection on your website and is able to discover your websites user table (containing their password hashes), a lot of these hashes will be stored in the rainbow table thus allowing the intruder to gain access to users accounts.
As a result of rainbow tables, most easy passwords are more insecure now than ever before. Gone are the days of crackers sitting at their PC's attempting to guess your password by trying your wifes first name. As a result, I have come up with an eleven character password containing uppercase and lowercase characters along with numbers and special characters. Ten of the characters are of my Windows XP cd key; since I had to reinstall Windows so many times, I memorized my CD key " at least Windows is good for something, a password!
If you are like me, you are probably registered with several forums and other websites. Of which, you use the same password and attempt to use the same username. However, it seems 95% of the time, some user has already registered your username and you are forced to append some number to the end " thus forcing you to remember several usernames. At least you only have one password to remember " right? No! I have recently come across three websites that rejected my password because it was either too long or contained a special character. In leet speak WTF??!!one1. My secure password, my digital fingerprint, is rejected? I cannot fathom why.
How are our passwords stored?
Most websites store users passwords as an md5 (message digest 5) hash. Essentially, your plain text password is passed through a function that hashes your password. That hash is stored in the websites database. Since md5 is a one way hashing algorithm (there is no way to convert the md5 hash in the database back to your plain text password), password validation is done by comparing an md5 input and the md5 stored in the database. If the two match, you have successfully logged in.
In PHP, a basic authentication system might look similar to the following:
- $input = md5($_GET['password']);
- $username = clean($_GET['username']);
- $result = mysql_query(“SELECT `password` FROM `my_table` WHERE `user` = {$username}”);
- $row = mysql_fetch_assoc($result);
- if($input == $row['password']) {
- echo “Valid password!”;
- }
$input = md5($_GET['password']);
$username = clean($_GET['username']);
$result = mysql_query(“SELECT `password` FROM `my_table` WHERE `user` = {$username}”);
$row = mysql_fetch_assoc($result);
if($input == $row['password']) {
echo “Valid password!”;
}
$username = clean($_GET['username']);
$result = mysql_query(“SELECT `password` FROM `my_table` WHERE `user` = {$username}”);
$row = mysql_fetch_assoc($result);
if($input == $row['password']) {
echo “Valid password!”;
}
Even though this method has been the main stream method of storing passwords for years, the md5 hash has not been reversed. However, crackers have created whats called “rainbow tables.”
What are rainbow tables?
Rainbow tables are essentially a large database that contains plain text passwords and its corresponding md5 hash. If a cracker performs an SQL injection on your website and is able to discover your websites user table (containing their password hashes), a lot of these hashes will be stored in the rainbow table thus allowing the intruder to gain access to users accounts.
As a result of rainbow tables, most easy passwords are more insecure now than ever before. Gone are the days of crackers sitting at their PC's attempting to guess your password by trying your wifes first name. As a result, I have come up with an eleven character password containing uppercase and lowercase characters along with numbers and special characters. Ten of the characters are of my Windows XP cd key; since I had to reinstall Windows so many times, I memorized my CD key " at least Windows is good for something, a password!
If you are like me, you are probably registered with several forums and other websites. Of which, you use the same password and attempt to use the same username. However, it seems 95% of the time, some user has already registered your username and you are forced to append some number to the end " thus forcing you to remember several usernames. At least you only have one password to remember " right? No! I have recently come across three websites that rejected my password because it was either too long or contained a special character. In leet speak WTF??!!one1. My secure password, my digital fingerprint, is rejected? I cannot fathom why.
Set as favorite
Bookmark
Email This
Hits: 417
Trackback(0)
TrackBack URI for this entry
6 Comments 
I have no idea why some websites don't allow very secure passwords. I always thought they didn't allow special characters and punctuation as a security precaution. 
Write comment
