There is a serious vulnerability to the MSN and gtalk local passwords

I originally thought that Microsoft and Google in the user account security should be experts, it seems I was wrong, because it happened to see a hacker tool Messenpass, you can directly display the local MSN and gtalk Chat tool password, This can be directly cracked users Hotmail and Gmail password, which shows the MSN and gtalk local password-storing way there are serious vulnerabilities.

The most serious error of MSN and Gtalk, is to save the user's password in the local, even if the use of symmetric or asymmetric encryption algorithm to encrypt the password, but the final login, or will decrypt the password and sent to the server side, this error led to the hacker only need to put this wood immediately to the user's computer, The user's Hotmail and Gmail passwords can be stolen after running.

The real safe way to store passwords is simply not to store the original password to the local computer, but to store the password + user + security Code hash value (hash value) to the user local, you can solve this security problem. Instead of using the hash value of the password directly, the hash value of the sum of the three arguments is used. is to prevent the same password appears the same hash value is guessed, add security code can increase the difficulty of cracking, hackers need to crack the security code, use hashing algorithm (such as MD5 or SHA1, etc.) is because the hashing algorithm is one-way irreversible, Even if the hacker gets the hash value, it is impossible to calculate the user's password.

So, now the way to sign in, can be modified to, MSN and Gtalk Save the user name and the sum of three parameters of the hash value, login time to transfer these parameters to the server, server-side to determine the type of login, if the hash value is logged in, the user sent over the user name and hash value, and the server-side saved username password and other parameters calculated hash value, if the same means that you can log in, the difference is a password error, can not log in.

Of course, this method is only the most basic way to implement secure login, more detailed security login methods see my other article, "Web site security login authentication design."

I used to think that Microsoft and Google these network giants in the security of the application should be good, did not expect that the user password on the existence of such a serious flaw and loopholes, it seems that foreign products are not reliable AH. The main reason for this, I think is that the overall network of foreign development is more healthy, there is no industry chain that hackers survive, and in China, the development and sale of Trojan horse programs, the theft of online game accounts and QQ accounts, sales of game accounts and QQ coins have developed into a clear division of the "underground industry", In the early years, China's major network companies have headaches, have launched the corresponding security solutions, so the relevant domestic network software, the password has long been no such flaw loopholes.

For Google, the solution to this flaw is particularly urgent, because the Gtalk account is Google account, you can directly log in the user's AdWords and AdSense, manipulate the financial information of users, and even the amount of money under the user account transfer to others, This is a serious threat to users who use Google's business, and if not resolved quickly, the consequences are worrying. For users who currently use MSN and Gtalk, it is recommended that you do not set up automatic logon, but instead set the password to log in every time you manually enter it.