Google is yet another reason to use stronger passwords

I was reading this article about a hacker that got into a wordpress blog and created an account for himself, the owner of the blog quickly disable the account and hopefully did other things to help secure the compromised site, like installing updates etc.

The interesting thing here is that the passwords for the system were stored as a plain old and straight MD5 hash, and for all folks out there you should know that when talking cryptography a hash Lockis a one way function that creates a "signature" string based on the data that was hashed and there is no way to pragmatically engineer an algorithm that would do the opposite (to get the original data based on the hash). I also want to point that to most people when someone talks about hash it should be assume that they are talking about one way algorithms that generate a hash "signature" of the data and there is no way to get the original data back based on the signature, It's amazing to see how many people hear or say the term "hash" and they thing is a encrypt/decrypt process.

Most system out there would do the same thing store a straight hash of the password to the database, and if the system does not enforce user to create strong passwords or at least using a salt when creating the hash, then someone who can gain access to the database can do a Google search and see if the password's original value has been indexed by google, and that would be very easy to spot specially if the password is a very generic word.

If the system would at least had used a salt value when hashing the password then it would have been a more difficult to actually map that hash to a common word.

So remember for your security use passwords that have a combination of more than one word, some numbers and at least one special character!!

Next Post »