Thoughts and Countermeasures on Database theft and credential stuffing

Thoughts and Countermeasures on Database theft and credential stuffing

Database theft refers to the theft of the website database by hackers. Credential stuffing refers to the attempts by hackers to log on to other websites in batches using the usernames and passwords obtained by database theft to steal more valuable things. Because some users use the same user name and password on multiple websites, credential stuffing has a certain success rate. Websites with a little sense of responsibility do not store passwords in the database. At least one MD5 request will be made. To hit the database, you must know the plaintext of the password, that is, the password actually entered by the user. We know that the MD5 algorithm is irreversible. How do hackers get the plaintext of the password? The most common method is the MD5 dictionary.

What is the MD5 dictionary?

In fact, it is to perform MD5 operations on some relatively simple passwords (such as pure numbers within 10 digits) in advance, save the results, and directly query the passwords when deciphering. For example, if the MD5 value of the string "123" is "202cb962ac59075b964b07152d234b70", the hacker finds that the password of a user is "202cb962ac59075b964b07152d234b70 ", after checking the dictionary, you will know that the plaintext of the password is "123. Of course, hackers do not manually query the passwords in a dictionary, but query them in batches.

Can all passwords be decrypted using the MD5 dictionary?

Theoretically, but in fact, only simple passwords can be cracked. Next we will look at the size of the MD5 dictionary corresponding to different complexity passwords.

Only numbers within 1.10 characters

10 ^ 1 + 10 ^ 2 + 10 ^ 3 + 10 ^ 4 + 10 ^ 5 + 10 ^ 6 + 10 ^ 7 + 10 ^ 8 + 10 ^ 9 + 10 ^ 10 = 10 (1-10 ^ 10) /(1-10) = 11,111,111,110 ≈ 11 billion

It takes at least 42 bytes to save each record (password 10 bytes + MD5 value 32 bytes). Therefore, it takes at least GB to store the MD5 dictionary.

Less than 2.10 digits + lowercase letters

A total of 36 (1-36 ^ 10)/(1-36) = 3,760,620,109,779,060 ≈ 3760 trillion

Each record must be kept in at least 42 bytes (password 10 bytes + MD5 value 32 bytes). Therefore, it takes at least 157946TB to store the MD5 dictionary.

The above two examples show that if the user's password is a combination of more than 10 digits and letters, the probability of MD5 dictionary cracking is almost zero. However, not all users have strong passwords. After hackers drag the database, accounts with weak passwords can easily be found in plain text. For accounts with weak passwords, can websites that are dragged into the database be powerless? No. The solution is also very simple. As long as a slightly complex salt (such as GUID/UUID) is added during MD5, the security of user passwords can be greatly improved.

Plaintext after adding salt = plaintext + salt;

Ciphertext = MD5 (plaintext after adding salt );

Taking GUID/UUID as an example, even if the plaintext is simple, a 32-bit salt is added, and the plaintext after the salt is added is more than 32 characters, it is unrealistic to use the MD5 dictionary to crack it.

If no salt is added to all websites, hackers only need to build an MD5 dictionary, which is common to all websites. If salt is added to all websites, even if salt is stolen by hackers, the general MD5 dictionary cannot be used to create a dictionary for every website that has been dragged to the database. The cost will be much higher. If the power is not enough, hackers will give up.

There are many countermeasures to prevent database theft and credential stuffing. I have analyzed one of them and proposed the corresponding countermeasures. The solution is very simple. I believe many websites also add salt or perform more complex operations, but there are also a lot of websites without salt, otherwise it will not happen frequently.

Every effort to protect the user's information security is the duty of every website, so that users can trust you. A small change can make the user's password more secure, hoping to attract the attention of all websites.