Due to SQL injection, cross-site scripting attacks, upload vulnerabilities, and carelessness of some network administrators, many forums have been cracked and databases have been stolen, this has a bad impact on user privacy and personal information security. In particular, many users use the same password for a variety of network services. If the Forum password is stolen, it will threaten the user's mailbox, instant messaging, online banking and a series of security. As a result, there was a "password-caused murder ".
Currently, common forums use hash functions such as MD5 to hash user passwords and then store them in the database. This method improves security to a certain extent. In case that criminals get the database, they only get the hash value of the user password. However, when you set a password, most users use Pinyin names, birthdays, frequently-used words, and digit strings for fear of forgetting them. Therefore, criminals only need to store the data and its hash values in the database, and then query the hash value to crack the passwords of many users. If the dictionary database is large enough and is consistent with people's setting habits, the power is amazing. So now there is an MD5 hash string query website on the Internet, claiming to use a 4 TB hard disk to store 457.4 billion MD5 records, can crack the 83% password of the online forum.
So how can we prevent this dictionary attack and the MD5 hash string query attack on the Internet. I found the answer in the book "application Cryptography. Salt is a random string. It is connected with the password and operated by a unidirectional function. Then, the result of each one-way function operation of the salt value is stored in the database. If the number of possible salt values is large enough, it actually eliminates the dictionary attacks for common passwords, it is impossible for criminals to store the hash values after the combination of so many salts and user passwords in the database. Of course, they can still crack the password of a single user. Therefore, it is best not to use the same password in different places. However, the security after using salt is increased.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
