Android Century
  • Home
  • Android Zone
    • Android Apps
    • Android Games
    • Apps APk Files
    • Games Apk Files
    • Apps Hack Tricks
  • Reviews
  • Fantasy Zone
    • Entertainment
    • Quotes and Status
    • Life Style
    • Home Made Tips
    • Hair Care
    • Skin Care
    • Fantasy Tips
  • Tricks
    • Free Recharge
    • Free Internet
    • shopping Cashback
    • Recharge Cashback
  • Tech
  • Mobiles
  • Gadgets
  • News
  • How To's
  • Software
Breaking
  • How to Take Great Photos With Apple's iPhone X
  • Samsung Galaxy S9+ Review
  • Asus VivoBook 15 (X510UA) Review
  • Xiaomi Redmi 5 with 18:9 display
  • Vivo V9 with dual rear cameras
  • Xiaomi Redmi 5 launch
  • Vodafone partners with Tecno to offer Rs 2200 cashback
  • LG G7 with iPhone X-like notch
  • Oppo F7 India launch confirmed
  • Alcatel 1x with Android Oreo (Go edition) announced in India
  • Huawei P20, P20 Pro, P20 Lite price
  • Xiaomi MIUI 9 global stable ROM rolling out for all smartphones
  • Nokia 9 to sport iPhone X-like notch
  • Samsung Galaxy S9 passes scratch
  • Huawei Y9 2018 with four cameras, 4000mAh battery launched
  • OnePlus 5T gets Android 8.1 Oreo in open beta 4
  • Samsung Galaxy Note 9 won’t get under-display fingerprint scanner
  • Oppo F7, Mi Mix 2S, LG G7 and more
  • Oppo F7 with iPhone X-style notch to launch
  • Motorola could cancel Moto X5, layoffs hit Chicago office

Featured post

How to Take Great Photos With Apple's iPhone X

Recent Posts

Labels

  • Android Apk Files
  • Android Apps
  • Android Games
  • Apps Apk Files
  • Entertainment
  • Fantasy Tips
  • Gadgets
  • Hair Care
  • HomeMade Tips
  • How To's
  • News
  • Quotes
  • Quotes & Status
  • Recharge Cashback
  • Recharge Promo Codes
  • Shopping Cashback
  • Technology
  • skin care
Home / How To's / Whenever a Service’s Password Database Is Leaked

Whenever a Service’s Password Database Is Leaked

Latest Govt. Jobs 00:11:00 How To's Edit
enter-your-password
“Our password database was stolen yesterday. But don’t worry: your passwords were encrypted.” We regularly see statements like this one online, including yesterday, from Yahoo. But should we really take these assurances at face value?
The reality is that password database compromises are a concern, no matter how a company may try to spin it. But there are a few things you can do to insulate yourself, no matter how bad a company’s security practices are.

How Passwords Should Be Stored

Here’s how companies should store passwords in an ideal world: You create an account and provide a password. Instead of storing the password itself, the service generates a “hash” from the password. This is a unique fingerprint that can’t be reversed. For example, the password “password” may turn into something that looks more like “4jfh75to4sud7gh93247g…”. When you enter your password to log in, the service generates a hash from it and checks if the hash value matches the value stored in the database. At no point does the service ever save your password itself to disk.
cryptographic-hash-function
To determine your actual password, an attacker with access to the database would have to pre-compute the hashes for common passwords and then check if they exist in the database. Attackers do this with lookup tables—huge lists of hashes that match passwords. The hashes can then be compared to the database. For example, an attacker would know the hash for “password1” and then see if any accounts in the database are using that hash. If they are, the attacker knows their password is “password1”.
To prevent this, services should “salt” their hashes. Instead of creating a hash from the password itself, they add a random string to the front or end of the password before hashing it. In other words, a user would enter the password “password” and the service would add the salt and hash a password that looks more like “password35s2dg.” Each user account should have their own unique salt, and this would ensure that each user account would have a different hash value for their password in the database. Even if multiple accounts used the password “password1”, they’d have different hashes because of the different salt values. This would defeat an attacker who tried to pre-compute hashes for passwords. Instead of being able to generate hashes that applied to every user account in the entire database at once, they’d have to generate unique hashes for each user account and its unique salt. This would take much more computation time and memory.
This is why services often say not to worry. A service using proper security procedures should say they were using salted password hashes. If they’re simply saying the passwords are “hashed,” that’s more worrying. LinkedIn hashed their passwords, for example, but they didn’t salt them—so it was a big deal when LinkedIn lost 6.5 million hashed passwords in 2012.

Bad Password Practices

plaintext-password-database
This isn’t the hardest thing to implement, but many websites still manage to mess it up in a variety of ways:
  • Storing Passwords in Plain Text: Rather than bother with hashing, some of the worst offenders may just dump the passwords in plain text form into a database. If such a database is compromised, your passwords are obviously compromised. It wouldn’t matter how strong they were.
  • Hashing the Passwords Without Salting Them: Some services may hash the passwords and give up there, opting not to use salts. Such password databases would be very vulnerable to lookup tables. An attacker could generate the hashes for many passwords and then check if they existed in the database — they could do this for every account at once if no salt was used.
  • Reusing Salts: Some services may use a salt, but they may reuse the same salt for every user account password. This is pointless—if the same salt were used for every user, two users with the same password would have the same hash.
  • Using Short Salts: If salts of just a few digits are used, it would be possible to generate lookup tables that incorporated every possible salt. For example, if a single digit were used as a salt, the attacker could easily generate lists of hashes that incorporated every possible salt.
Companies won’t always tell you the whole story, so even if they say a password was hashed (or hashed and salted), they may not be using the best practices. Always err on the side of caution.

Other Concerns

It’s likely that the salt value is also present in the password database. This isn’t that bad—if a unique salt value were used for each user, the attackers would have to spend massive amounts of CPU power breaking all those passwords.
In practice, so many people use obvious passwords that it would likely be easy to determine many user accounts’ passwords. For example, if an attacker knows your hash and they know your salt, they can easily check to see if you’re using some of the most common passwords.
Other personal data also likely leaks when a password database is stolen: Usernames, email addresses, and more. In the case of the Yahoo leak, security questions and answers were also leaked—which, as we all know, make it easier to steal access to someone’s account.If an attacker has it out for you and wants to crack your password, they can do it with brute force as long as they know the salt value—which they probably do. With local, offline access to password databases, attackers can employ all the brute force attacks they want.

Help, What Should I Do?

Whatever a service says when its password database is stolen, it’s best to assume that every service is completely incompetent and act accordingly.
First, don’t reuse passwords on multiple websites. Use a password manager that generates unique passwords for each website. If an attacker manages to discover that your password for a service is “43^tSd%7uho2#3” and you only use that password on that one specific website, they’ve learned nothing useful. If you use the same password everywhere, they could access your other accounts. This is how many people’s accounts become “hacked.”
generate-random-password
If a service does become compromised, be sure to change the password you use there. You should also change the password on other sites if you reuse it there — but you shouldn’t be doing that in the first place.
You should also consider using two-factor authentication, which will protect you even if an attacker learns your password.
The most important thing is not reusing passwords. Compromised password databases can’t hurt you if you use a unique password everywhere — unless they store something else important in the database, like your credit card number.
Share on Facebook Share on Twitter Share on Google Plus

RELATED POSTS


How To Get Free Recharge And Money ...

How to Sync Your Contacts Between A...

How to Know a Wi-Fi Network Is Fast...
Whenever a Service’s Password Database Is Leaked Whenever a Service’s Password Database Is Leaked Reviewed by Latest Govt. Jobs on 00:11:00 Rating: 5

0 comments:

Post a Comment

Newer Post Older Post Home
Subscribe to: Post Comments ( Atom )

Search This Blog

TEST BOOK FOR GOVT ENTRANCE TEST

TEST BOOK FOR GOVT ENTRANCE TEST
Find All Latest book for preparation of SSC,RAILWAYBANK PO,RBI,BANK CLERK,GATE ME,GATE CE are available here in less prices, to check out the books click here

Translate

  • Popular Post
  • Random posts
  • Category

Popular Posts

  • Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Refer & Earn Offer:  Hey Guys! Today I make an article about Teen Patti Referral ...
  • KingRoot 4.8.1 (136) APK Latest Version Download
    Download KingRoot Latest Version 4.8.1 In Tools by Developer KingRoot Studio ( 4.x / 5  average ...
  • 11 things you should understand approximately iOS 11
    Apple introduced the following version of its running system for the iPhone and iPad, iOS eleven ...
  • How to Upload Your Music Library to Google Play Music
    Google Play Music offers an unlimited music streaming subscription paired with YouTube Red ...
  • How to Disable Your Mac’s Touchpad When Another Mouse Is Connected
    Laptop trackpads can be annoying. Your palm hits them while you’re typing, moving your cursor ...
  • How to Gain Root Access of An Android Device via KingoRoot Software
    What Does Root Access Mean? Gaining root access of Android is the process of modifying the ...

Random Posts

  • Best free iPad games 2017  (itunes)
    Best free iPad games 2017 (itunes)
    10.02.2017 - 0 Comments
    So you've got an iPad, but have come to the dawning realisation that you've got no cash left…
  • Honor band three with heart rate sensor officially released in india at Rs 2,799
    Honor band three with heart rate sensor officially released in india at Rs 2,799
    30.07.2017 - 0 Comments
    Honor, Huawei’s sub-brand has announced the launched of Honor Band 3 in India. Honor Band 3 comes…
  • Now Twitch will start selling video games you're watching on streams
    Now Twitch will start selling video games you're watching on streams
    27.02.2017 - 0 Comments
    Twitch, the popular live video game streaming site, wants to go head-to-head with digital game stores…
  • LG Watch Style Packaging Spotted, Launch Now Reported to Take Place February 8
    LG Watch Style Packaging Spotted, Launch Now Reported to Take Place February 8
    07.02.2017 - 0 Comments
    Over the weekend, there was a bit of development in the Android Wear category, with packaging for…
  • Xiaomi launches Mi 5c phone with in-house 8-core Surge S1 processor
    Xiaomi launches Mi 5c phone with in-house 8-core Surge S1 processor
    28.02.2017 - 0 Comments
    Xiaomi, on Tuesday, became only the fourth smartphone manufacturer in the world - and…

Labels

Android Apk Files Android Apps Android Games Apps Apk Files Apps Hack Tricks Entertainment Free Internet Freecharge Gadgets Games Apk Files How To's Laptops Guide Mobiles Reviews Technology Viral's android zone free recharge

Entertainment

Tricks

Popular Posts

  • Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Refer & ...
  • Researchers trick 'CEO' email scammer into giving up identity
    Businesses ...
  • How to Gain Root Access of An Android Device via KingoRoot Software
    What Does Root ...
  • Tinyowl Freecharge Offer – Get 15% Cashback + extra 25% cashback using Freecharge [Ultimatez Tricks]
    Tinyowl Freecharge ...
  • How to Disable Your Mac’s Touchpad When Another Mouse Is Connected
    Laptop ...
  • Infocus Vision 3 review
    What happens when ...
  • EVGA redesigns its graphics cards following overheating concerns
    Following a ...

Random Posts

  • 12 Fastest Ways To Get Glowing Face in Minutes
    12 Fastest Ways To Get Glowing Face in Minutes
    01.04.2016 - 0 Comments
    A glowing face boosts your confidence level and makes you look active and good.Even in your simplest outfit,…
  • Airbnb settles rental law lawsuit with New York city
    Airbnb settles rental law lawsuit with New York city
    03.12.2016 - 0 Comments
    Airbnb and New York City said on Friday they had resolved a lawsuit brought by the company challenging…
  • 14 Signs You’re Ruining Your First Date Unknowingly
    14 Signs You’re Ruining Your First Date Unknowingly
    27.04.2016 - 0 Comments
    Is your excitement and eagerness to impress your date ruining your first date? Here are 14 date ruining signs…
  • Top 4 ways to flip your blogger blog posts
    Top 4 ways to flip your blogger blog posts
    22.01.2018 - 0 Comments
    One of the maximum-sought lacking capabilities from blogger is the little button you click on to expose your…
  • How to Update Windows 10’s Creators Update Now
    How to Update Windows 10’s Creators Update Now
    05.07.2017 - 0 Comments
    Microsoft will start rolling out windows 10’s Creators replace beginning April eleven, however it is going…

Most Popular

  • Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Offer 2018: Refer and Earn Flipkart Vouchers Free
    Teen Patti Refer & ...
  • SAMSUNG GALAXY J7 (2016) REVIEWS
    SAMSUNG GALAXY J7 (2016) REVIEWS
    SAMSUNG GALAXY J ...
  • Top 5 Best SmartPhones under 7000 Rs (March 2017)
    Looking for the ...
  • Apple, IBM, Cisco are huge because of Indians, do not deny them H-1B visa: RBI Governor Urjit Patel
    ...
  • SAMSUNG GALAXY J7 (2016) Specifications
    SAMSUNG GALAXY J ...
  • BlackBerry Teases Marshmallow Beta Testing for Priv by Next Week
    Blackberry ...
  • LG Q6 Review
    LG Q6 Review
    2017 is ...

Contact Form

Name

Email *

Message *

Offers Zone

Created By Android Century Distributed by Android Century
  • Home
  • About us
  • Contact us
  • Privacy policy
  • Terms of use
  • Advertise here
Subscribe Via Email Subscribe To Android Century By Email And Get Free Updates. ;-)


Your email address is safe with us!