Security expert analysis and prevention methods for plaintext password hazards

The Data leaks of 40 million users in the CSDN600 and users in the Tianya community have just come to an end. Recently, another hacker reported that the user password of the UC browser can be easily stolen. It even means that people without a "hacker" background can master the theft method in about two hours. According to experts' remarks, the security vulnerabilities in the UC browser are all caused by the use of plaintext passwords to store user data. This leakage may threaten 0.2 billion mobile phone users.

In the subsequent statement published by the UC browser, the security vulnerability does not exist. Although the true and false of the incident cannot be identified, the report was published and reproduced by a number of media outlets, showing that Chinese netizens pay attention to Internet security and privacy and are sensitive to "plaintext passwords.

"The so-called plaintext password refers to the plaintext characters that the website can understand when storing user passwords and materials. Even non-IT experts can copy user passwords and other data as long as they can enter the database, directly forming available databases. In the past, CSDN and Tianya community were 'flushed to the database because of plaintext Password Storage '. Zhang xiaodan, a well-known Internet security expert and user interaction design expert, 263 enterprise mail product manager, said,

According to Zhang xiaodan, most websites have adopted the MD5 irreversible encryption algorithm. Compared with plaintext transmission, the security performance of MD5 encrypted storage is greatly improved. Even if hackers enter the database, they cannot steal user passwords. For example, the user password of enterprise mail 263 may be set to 123456, but the database may display aaeee1a063ed2833. If hackers do not know the encryption formula of the password, you cannot steal the real password.

In addition to the MD5 method, there is also a way to solve the "database Flushing" crisis by separating the Intranet and Internet. This approach is adopted by 263 enterprise mailboxes. The database that stores user data is stored in the Intranet, while the Internet only stores some applications. Even if the Internet server is attacked by hackers, it will not pose any threat to user privacy. In addition, the Intranet and the Internet use a unique private protocol for connection, and intruders cannot find the entry. However, due to the high cost involved in this method and the high cost of post-maintenance, there are currently not many websites using this method.

If a hacker must obtain the user password of enterprise mail 263, you must first intrude into the Internet server, then find the private protocol entry, then intrude into the Intranet server, enter the database, copy the password, and crack it. Although the steps are the same, multiple steps are impossible. In other words, it is difficult to steal the password of 263 enterprise mail users.

With the popularization of the Internet, more and more netizens will enhance their awareness of Internet security. In addition to the good habits of users, websites must take responsibility for purifying the Internet environment.

Edit recommendations]