How do hackers steal passwords from a database? Given that passwords are encrypted in a bunch of ways?

S

suhuxa12017-08-06 08:03:43

Burglary protection

suhuxa1, 2017-08-06 08:03:43

So the thought came to my mind, I use an encryption key on my services that encrypts the password, and after that this password is also encrypted via md5. I saw services when there are already 4 such keys. And each one sequentially encrypts the password, and also runs through md5 at the end. Question: how do hackers get already decrypted passwords from the database of large services? Encryption keys are unrealistic, they usually contain 60+ characters of the most different ones. Or they in addition to a DB steal also a config?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry Dart, 2017-08-06
@gobananas

Yes, there are unhashed passwords, but this is rare, hashed ones are recognized using rainbow tables, for example. In this case, salt is of great importance. If the passwords are not salted, then the hashes are used to find the values instantly using rainbow tables. But weak salts are also selected, but strong salt is always good.
For general development: MD5 hack methods https://xakep.ru/2013/10/13/md5-hack/

A

Adamos, 2017-08-06
@Adamos

Usually, if the attacker was able to get the base, he can also steal the hash script.
We have a task: here are the password hashes, here is the algorithm by which they were obtained.
We take a dictionary of frequent passwords, run it through this algorithm, look for matches.
In theory - we have all users who use weak passwords.
In practice, an individual salt for each user and hashing with something heavier than md5 makes the selection process too long (to the point of complete unprofitability) in most cases.