DISCLAIMER: I am not an expert at cryptology. But I generally understand the industry best practices and have implemented this stuff on several sites. That said, read on at your own risk :)
There's been a lot of talk about LinkedIN passwords getting stolen. It's an interesting read and it made me think it would make for a good blog post.
If you read the link above you will see them referring to hashed passwords. First of all, nobody should be storing passwords in a data base as clear text. Never, ever, nope. You want to store the password after it's been hashed with a one-way hashing algorithm. One-way just means it's computationally impractical on todays computers to go the reverse direction from hashed string back to password.
So now that you've got your hashed password, you can rest assured that your passwords are super-safe, right? Well, almost. You are still vulnerable to a dictionary attack. A dictionary attack is where an attacker tries to guess your password using a set of likely candidates.
<rant>
Strict password requirements create bad passwords.
You know those password requirements like:
Must be at least 8 characters long and contain
at least one upper-case character
at least one punctuation character (_., etc
at least one number.
It _seems_ like those requirements should force people to create nice secure passwords that are hard to guess. But the reality is exactly opposite.
Those requirements practically force you to use a date. I would bet good money that at least a quarter of you reading this has a favorite date password to satisfy those requirements. Let's see, I was born in april of 1974. I can capitalize April put a comma in there and voila: April,1974. Requirements met!
Dictionaries invariably start with a bunch of variations of [month] [punctuation] [2 or 4 digit number]. Secure password fail.
</rant>
Ok, back to the discussion. Your passwords are stored in your db as hashed strings. So all an attacker has to do is pre-compute their dictionary and compare those hashes to the hashes they grabbed out of your db using an SQL injection (another topic for another time). Yes, they would have to know which hashing algorithm you used, but there aren't too many in everyday use (MD5and SHA1 spring to mind). And these pre-hashed tables exist. They are called Rainbow Tables.
I have no idea why?
What would be better is to add something to the password before we hash it. Then the attacker can't use a pre-computed Rainbow Table. The "something you add to a password before you hash it" is called salt. So now they would have to have stolen the salt along with the hashed passwords. And then create a Rainbow Table from scratch.
This is all sounding much better. Add salt to the password and then hash it. Got it? Good.
Actually, there's one more little step we can take to make our passwords even more secure. We can make sure the salt is unique for each password. This is usually accomplished using a unique identifier for the user (usually the primary key) and a simple random number to create the salt. As long as the unique salts are stored securely, you can feel pretty confident that you've got things locked down.
I do this type of thing quite often in other languages, but I've neveractually had the need to implement it in SAS. I will write a subsequent post that has some example SAS code to make the ideas a little more concrete.
Webtrackker technology is the best IT training institute in NCR. Webtrackker provide training on all latest technology such as sas training. Webtrackker is not only training institute but also it also provide best IT solution to his client. Webtrackker provide training by experienced and working in the industry on same technology.Webtrackker Technology C-67 Sector-63 Noida 8802820025
ReplyDeleteSAS training institute in indirapuram
SAS training institute in Noida
SAS training institute in Ghaziabad
SAS training institute in Vaishali
SAS training institute in Vasundhara
SAS training institute in Delhi South Ex
Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have Keep up the good work you are doing here.Well, got a good knowledge.
ReplyDeleteBase SAS Training in Chennai
Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have Keep up the good work you are doing here.Well, got a good knowledge.
ReplyDeleteAWS Training in Chennai
SEO Training in Chennai
Digital Marketing Training in Chennai
Croma Campus is the main SAS Training in Noida association giving modern direction with a distinction. The association gives direction as well as takes fitting consideration that the preparation is significant. Croma Campus gives training on SAS in the most reasonable way.
ReplyDeleteIt is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
ReplyDeleteSEO Company in India
This really has covered a great insight on SAS Analytics. I found myself lucky to visit your page and came across this insightful read on SAS analytics tutorial. Please allow me to share similar work on SAS analytics training course :-
ReplyDeletehttps://www.youtube.com/watch?v=IOxaKq4lB-0
I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.
ReplyDeletepython Online training in chennai
python training institute in marathahalli
python training institute in btm
Python training course in Chennai
ReplyDeleteWhoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.
AWS TRAINING IN BTM LAYOUT | AWS TRAINING IN BANGALORE
AWS Training in Marathahalli | AWS Training in Bangalore
Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
ReplyDeleteAWS Training in pune
AWS Online Training
AWS Training in Bangalore
This comment has been removed by the author.
ReplyDeleteVery nice post here thanks to you for this. I evermore like your blog and such a useful content of these post. Keep doing...
ReplyDeleteCorporate Training in Chennai
Corporate Training institute in Chennai
Spark Training in Chennai
Social Media Marketing Courses in Chennai
Job Openings in Chennai
Oracle Training in Chennai
Tableau Training in Chennai
Power BI Training in Chennai
Linux Training in Chennai
Corporate Training in OMR
Thanks for your post. This is excellent information. The list of your blogs is very helpful for those who want to learn, It is amazing!!! You have been helping many application.
ReplyDeleteaws training in chennai | aws training in annanagar | aws training in omr | aws training in porur | aws training in tambaram | aws training in velachery
The Article Written work is really Amazing.The way of Expressing the Content is Looking Nice...Thanks for this Good Stuffs
ReplyDeleteJava training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery
Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
ReplyDeletepython training in chennai
python online training in chennai
python training in bangalore
python training in hyderabad
python online training
python flask training
python flask online training
python training in coimbatore
What as up, I read your blogs like every week. Your writing style is awesome, keep up the good work!
ReplyDeleteGo Language training
Hibernate online training
Hibernate training
Hyperion ESS Base online training
Hyperion ESS Base training
Hyperion Fdqm online training
This blog is the general information for the feature. You got a good work for these blog. oracle training in chennai
ReplyDeleteYour good knowledge and kindness in playing with all the pieces were
ReplyDeletedata science training in chennai
data science training in tambaram
android training in chennai
android training in tambaram
devops training in chennai
devops training in tambaram
artificial intelligence training in chennai
artificial intelligence training in tambaram
hi really useful and informative blog.thanks for sharing.really gained more knowledge.
ReplyDeletebest ways to earn money online
Awesome Blog
ReplyDeletethanks for sharing
Java Android Training in Delhi
Python Training in Delhi
Data Science Training in Delhi
Tableau Training in Delhi
Mern Stack Training in Delhi
R programming Training in Delhi
Artificial intelligence Training in Delhi
Data Analytics Training in Delhi
SASVBA
GMP
For more information
Wow such an amazing content keep it up. I have bookmarked your page to check out more informative content here.
ReplyDeleteSASVBA is recognized as the bestMachine Learning course in Delhi Whether you are a project manager, college student, or IT student, Professionals are the best machine learning institute in Delhi, providing the best learning environment, experienced machine learning instructors, and flexible training programs for the entire module.
FOR MORE INFO:
Wow such an amazing content keep it up. I have bookmarked your page to check out more informative content here.
ReplyDeleteSASVBA Provides Best Deep Learning Course in Delhi with Latest Development Environment and Frameworks. We keep Our Courses Up to Date with the Latest industrial trends. SASVBA Is One of the best training Deep Learning Institute in Delhi NCR Which Helps Students to Crack Interviews in Tech Giants. We train college students as well as school students.
FOR MORE IMFO:
I truly like perusing a post that can make individuals think. Likewise, much obliged for allowing me to remark!news updates
ReplyDeleteThanks For sharing information
ReplyDeleteBest Mobile Repair Shop in Delhi
Excellent post, thanks for the great sharing. If you want to install cracked apps for free, if yes then you can install cracked app safely from appyeet platform, The Appyeet is such a place where you don't have to make a payment in order to unlock tricks and features within the app.
ReplyDeleteExcellent post. Thanks for sharing. If you are looking for an easy way to find and download premium free apps, if yes, then you should easily download the premium free apps from OGzilla on their devices such as android and other iOS gadgets. So, go and check out once.
ReplyDeleteGreat article. AFK Arena gives players many options to ensure they can get some heroes that would provide them with an edge and authorize them to progress much easier and faster. This guide will show players where and how they could make celestial heroes in AFK Arena! Also, you can use AFK Arena codes in your game for getting more rewards.
ReplyDeleteNice article. Do you want to unblock your content restricted website, then you can check one article about Access Blocked Content this website will help you access your content restricted website, by using node unblocker.
ReplyDelete