JMH
Emeritus, Contributor
- Apr 2, 2012
- 7,197
First Critical Windows 8 Security Flaw: Logon Passwords Stored in Plain Text
- Thread starter JMH
- Start date
AceInfinity
Emeritus, Contributor
Just so people know, usually the way passwords work and the way they are stored is in MD5 or some other hash usually, within a database, and when authentication happens, usually, the input is encrypted in the same way the initial password was before it was stored as an encrypted value. This enables you to make sure that the password (from the database) is NOT being exposed in plain text in order to do the comparison check with the input to return true if it's a match (access granted) or false if it's not (access denied). Some use a salt so that it's not the exact same hashed value as the input in which hackers can bruteforce to reveal. This is a good idea because if you have a password that is a known hash of a known password value, then it would be like nothing for an experience infiltrator to deal with to gain entry.
If you do something like:
{Password Input} + {Random Key as salt} = {Output stored in database}
Then reversing the {Output stored in database} back into {Password Input} is much more difficult to do than it would be for an equation like this agreeably:
{Password Input} = {Output stored in database}
Storing in plain text has always been known as bad practice/habit though... It's a good thing they've fixed this though, because this would've been a big security risk/flaw prior to the fix.
Note: Now that MD5 is known to be 'broken' (MD5 collisions do exist), people are now starting to use the next generation of hashing algorithms, such as SHA1, SHA256, or others not in the "SHA" family even sometimes. The reason we might not want to use MD5 anymore, for security measures, is demonstrated in their implementation for Digital Certificates on the Windows OS. We've seen countless malware and malicious code take advantage of this so far haven't we? That's the result of using a hash that has now been proved as 'broken'. And now that people know it's formula, that makes it even more dangerous for intentional collisions as a mark of a possible outcome.
Note2: Microsoft, nor did pretty much everybody else, would've known that this would have been the fate of MD5 as a hashing algorithm, but now that it's been proven, what can you do about it? You can only slowly transition over.
Note3: Things like SHA1, and perhaps soon enough other common hashes that have yet to be 'broken', may soon be broken (by another University student perhaps like the way MD5 was discovered as 'broken'?). So it's best not to rely too heavily on any hash for that matter in my opinion. Implement other barriers of security in the case that one has deteriorated, or been collapsed by the enemy (whatever or whoever this may be).
Looking into the security of software, and implementations of my own software security, knowledge like this really helps; it creates the most secure outcome when you know what NOT to do.
Cheers guys :)
~Ace
If you do something like:
{Password Input} + {Random Key as salt} = {Output stored in database}
Then reversing the {Output stored in database} back into {Password Input} is much more difficult to do than it would be for an equation like this agreeably:
{Password Input} = {Output stored in database}
Storing in plain text has always been known as bad practice/habit though... It's a good thing they've fixed this though, because this would've been a big security risk/flaw prior to the fix.
Note: Now that MD5 is known to be 'broken' (MD5 collisions do exist), people are now starting to use the next generation of hashing algorithms, such as SHA1, SHA256, or others not in the "SHA" family even sometimes. The reason we might not want to use MD5 anymore, for security measures, is demonstrated in their implementation for Digital Certificates on the Windows OS. We've seen countless malware and malicious code take advantage of this so far haven't we? That's the result of using a hash that has now been proved as 'broken'. And now that people know it's formula, that makes it even more dangerous for intentional collisions as a mark of a possible outcome.
Note2: Microsoft, nor did pretty much everybody else, would've known that this would have been the fate of MD5 as a hashing algorithm, but now that it's been proven, what can you do about it? You can only slowly transition over.
Note3: Things like SHA1, and perhaps soon enough other common hashes that have yet to be 'broken', may soon be broken (by another University student perhaps like the way MD5 was discovered as 'broken'?). So it's best not to rely too heavily on any hash for that matter in my opinion. Implement other barriers of security in the case that one has deteriorated, or been collapsed by the enemy (whatever or whoever this may be).
Looking into the security of software, and implementations of my own software security, knowledge like this really helps; it creates the most secure outcome when you know what NOT to do.
Cheers guys :)
~Ace
Has Sysnative Forums helped you? Please consider donating to help us support the site!