Warning! 32 Million Twitter Passwords May Have Been Hacked and Leaked.
The world came to know about massive data breaches in some of the most popular social media websites including LinkedIn, MySpace, Tumblr, Fling, and VK.com when an unknown Russian hacker published the data dumps for sale on the underground black marketplace.
However, these are only data breaches that have been publicly disclosed by the hacker.
I wonder how much more stolen data sets this Russian, or other hackers are holding that have yet to be released.
Single Sign-On and Password Synchronization
One issue that has irritated users in large secure environments is the burgeoning number of passwords they have to remember to access various applications. A user might need one password to log onto his or her workstation, another to access the network, and yet another for a particular server. Ideally, a user should be able to sign on once, with a single password, and be able to access all the other systems on which he or she has authorization.
Some have called this notion of single sign-on the “Holy Grail” of computer security.
The goal is admirable to create a common enterprise security infrastructure to re-place a heterogeneous one. And it is currently being at-tempted by several vendors through technologies such as the Open Group’s Distributed Computing Environment (DCE), MIT’s Kerberos, Microsoft’s ActiveDirectory, and Public-Key Infrastructure (PKI)-based systems. However, few, if any, enterprises have actually achieved their goal. Unfortunately, the task of changing all existing applications to use a common security infrastructure is very difﬁcult, and this has further been hampered by a lack of consensus on a common security infrastructure. As a result, the disparate proprietary and standards-based solutions cannot be applied to every system. In addition, there is a risk of a single point of failure. Should one user’s pass-word be compromised, it is not just his local system that can be breached but the entire enterprise.
A hash function is an algorithm that takes a variable-length string as the input and produces a ﬁxed-length value (hash) as the output. The challenge for a hashing algorithm is to make this process irreversible; that is, ﬁnding
a string that produces a given hash value should be very difﬁcult. It should also be difﬁcult to ﬁnd two arbitrary strings that produce the same hash value. Also called a message digest or ﬁngerprint, several one-way hash functions are in common use today. Among these are Se-cure Hashing Algorithm-1 (SHA-1) and Message Digest-5 (MD-5). The latter was invented by Ron Rivest for RSA Security, Inc. and produces a 128-bit hash value. See Table 1 for an example of output generated by MD5. SHA-1 was developed by the U.S. National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and produces 160-bit hash values. SHA-1 is generally considered more secure than MD5 due to its longer hash value.
Microsoft Windows NT uses one-way hash functions to store password information in the Security Account Manager (SAM). There are no Windows32 Applications Programming Interface (API) function calls to retrieve user passwords because the system does not store them. It stores only hash values. However, even a hash-encrypted password in a database is not entirely secure. A cracking tool can compile a list of, say, the one million most commonly used passwords and compute hash functions from all of them. Then the tool can obtain the system account database and compare the hashed passwords in the database with its own list to see what matches. This is called a “dictionary attack” (see “Password Cracking Tools”).