Thoughts and countermeasures on the towing and collision of banks

A drag-and-drop library is a hacker stealing a website's database. A crash library is a user name and password that hackers get from a trailer to try to land on other sites and steal something more valuable. Because some users in multiple sites with the same user name and password, so hit the library has a certain success rate. Now a slightly more responsible site will not keep the password plaintext in the database, at least do a MD5. To crash the library, you have to know the plaintext of the password, which is the password that the user actually entered. We know that the MD5 algorithm is irreversible, how does the hacker get the password plaintext? The most common way is to MD5 a dictionary.

What is the MD5 dictionary?
in fact, some of the more simple passwords (such as 10-bit pure numbers) do MD5 operations, the results are saved, decipher the password when the direct check on the line. For example, the string "123" MD5 value is "202cb962ac59075b964b07152d234b70", the hacker in the dragged database to see a user's password is "202cb962ac59075b964b07152d234b70", Through the dictionary to find out that the password plaintext is "123". Of course, hackers use a dictionary to decipher the password will not be a manual check, but the program in bulk query.

can all passwords be deciphered in the MD5 dictionary?
theoretically, but it's actually only a simple password to crack. Let's look at how large the MD5 Dictionary of different complexity ciphers are.

1.1 bits or less pure digits
Total 10^1+10^2+10^3+10^4+10^5+10^6+10^7+10^8+10^9+10^10=10 (1-10^10)/(1-10) =11,111,111,110 article ≈ 11 billion article
To save at least 42 bytes per record (password 10 bytes +md5 value 32 bytes), storing the MD5 dictionary requires at least about 467GB of space.

numbers up to 2.1 digits + lowercase letters
Total 36 (1-36^10)/(1-36) =3,760,620,109,779,060 article ≈ 3760 trillion article
To save at least 42 bytes per record (password 10 bytes +md5 value 32 bytes), storing the MD5 dictionary requires at least about 157946TB of space.

through the above two examples can be seen, if the user's password is more than 10 digits and letter combination, the probability of cracking through the MD5 dictionary is almost zero. But not all users of the password are strong enough, after the hacker dragged the library, the use of weak password account is easy to be found in clear text. For an account with a weak password, is the site of the dragged library powerless? No. The method is also very simple, as long as the MD5 when adding a slightly more complex salt (such as guid/uuid), can greatly improve the security of user passwords.
clear text after adding salt = clear text + salt;
ciphertext =MD5 (plaintext after adding salt);
take Guid/uuid as the example of salt, even if the text is simple, add a 32-bit salt, add salt after the plaintext is more than 32, through the MD5 dictionary to crack is unrealistic.

If all the sites are not salt, hackers only need to build a MD5 dictionary, all sites can be universal. If all the sites are added salt, 10,000 step back, even if the salt has been stolen by hackers, can not use the Universal MD5 dictionary, you have to build a dictionary for each of the site of the drag library. So the cost will be much higher, if the power is not enough, the hacker gave up.

There are a lot of countermeasures to prevent the library and the collision, I just analyzed one of them, and put forward the corresponding countermeasures. The way is very simple, I believe that many sites also add salt, or do more complex operation, but there is a lot of sites without salt, otherwise it will not often happen to crash the library.

every effort to protect the user's information security is the obligation of each website, so as to be worthy of the user's trust in you. A small change can make the user's password more secure, hoping to arouse the attention of all sites.

Thoughts and countermeasures on the towing and collision of banks