Here's why a Greece Hacker Easily Hacked Croatian University?
A hacker from Greece has published the database of the University of Rijeka in the context of Croatia supporting the anti-Serb movement. Reportedly, the hacker was fueled by the prevailing situation in the Balkans, and his acts were motivated by the same; addressing his Serbian brothers he wrote, "it's time to defend our land and our history".
The database contains a table that compares every username with a password. The server receives a request for authentication with a payload containing a username and a password when a user logs in; then the username is being looked up in the database and matched with the stored password, and when the right match is being found, the user gets the access to the application or the website.
The strength of security depends upon the format of storing the password, one of the most basic ways of password storage is 'cleartext', which however is also the least secure of all as it is readable data stored in the clear, for instance, unencrypted. To say, using cleartext for storing passwords is the real-world equivalent of writing them down on paper – here a digital one.
Notably, the University website has been using Md5 to store the passwords which is yet another outdated format that can be easily cracked. Now coming back to hashing – it uses an algorithm to map data regardless of its size to a fixed length, one must not confuse hashing with encryption as encryption is a two-way function and hence reversible while hashing is a one-way function and hence is not reversible. The computing power required to reverse-hash something is unfeasible.
What is salting?
Salting is a unique value that is added at the end of the password to distinguish its hash value from that of a similar password, without salting the same hash will be created for two identical passwords. It is done to strengthen security by complicating the cracking process. However, in the abovementioned hash, there are no additional values added to the passwords.
They have simply used the md5 method without salting and as the main virtue of a secure hash function is to make its output difficult to predict, this method used by the University defies the whole purpose – making passwords weak and easy to crack. Some of the pre-cracked passwords are shown below.
from E Hacking News - Latest Hacker News and IT Security News https://ift.tt/2IwCgDR
Comments
Post a Comment