Password Cracking
Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.
Know more about Brute force attack
A Few Defensive Measures
* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.
0 comments:
Post a Comment