How can we protect our passwords?

How is our information stored in the Internet database , How can we protect our information and privacy ？

Recently, some college students often use learning software “XX through ” Suspected user data leakage , There may be more than 1.7 Billion pieces of information were leaked , Including schools 、 full name 、 cell-phone number 、 Student number 、 Mailbox and so on .

As soon as it happened , The official immediately refuted the rumor . But the so-called rumor refutation only says “ We checked for more than ten hours , No specific user disclosure was found ”. Also said “ Our password will not be stored in clear text , So the password will not be revealed ”.

These two explanations are quite , humorous .

Another saying that you haven't found it in ten hours is , Although your information may have leaked , But there is no evidence that we leaked it .

The fact that passwords are not stored in clear text is even more ridiculous , No company will store users' passwords in clear text , There is no point in pulling this out .

If this happens in an Internet company , The pressure of public opinion will be much higher than now .

1. How our information is stored ？

So let's look at this first , How is your information stored in those software ？

Basically , There are three types of user data . The first is plaintext storage , The second is encrypted storage , The third is not allowed to store .

Plaintext storage Information such as our nickname 、 user name 、 Head etc. , This information is publicly available , Therefore, it can be stored in clear text .

Encrypted storage Information such as our password , This information is not only hidden from the outside , Internal staff can't see , Generally, the way of encryption is to use hash , By some kind of algorithm , Convert your password into another set of strings .

There are two major features of this algorithm , It's one-way , That is to say, it is almost impossible to deduce the original password from the encrypted result ; The other is low collision , Simply put, it's two different original passwords , Even if only one character is different , The generated results are also very different , For example, we use md5 encryption algorithm , Encrypt with two similar strings , It can be found that the results are very different .

You can see that although only the last character is different , The results are also very different .

Do not store Information such as ID card 、 Biometrics （ For face recognition ） result , The personal information protection law clearly stipulates that non essential information is not allowed to be stored , Like ID card , We play games common minors anti addiction certification , In fact, it is also to request your identity information to the interface provided by the Ministry of public security for inquiry , As a game company, there is no reason to store your ID information . Again , The same is true of the biometric information we use for face recognition , There is not enough necessity , It is not allowed to process and store .

Look at this , What we need to worry about is encrypting the stored information , How on earth was it stolen ？

2. How is encrypted information stolen ？

The process by which an attacker obtains a password , There are different ways from simple to complex .

The first one is , Guessing .

Guessing is also called violent cracking , For example, a website requires your password to be 8 Digit number + Letter , good , Then I began to guess , The first password is 00000000, Have a try , incorrect , Then I'll try again 00000001.

Just try one by one , In theory , One day I will be able to try out your password .

The problem of brute force cracking is that with the increase of password length , The calculation difficulty increases exponentially , Plus the wrong input of some software settings 3 The first time I wait 10 minute , Or wrong input 1 You have to enter the verification code once , As a result, brute force cracking can hardly be used to obtain your password .

Of course , Used to crack encrypted packets and wifi The password is ok .

The second kind , Well founded guess .

Some people set their passwords regularly , For example, use your own initials + cell-phone number , Or birthday . After the attacker has some information about you , Construct some passwords you may use .

The third kind of , Towing Library , Get the information of the database directly .

The attacker will try some means , Connect directly to the database of the website , Get all the information of the user .

Of course , Not every time information is leaked by hackers , Sometimes internal employees will also cause information leakage , For example, the programmer of Huazhu hotel directly uploaded the company code and the configuration information of the database to github, You are equivalent to opening the door of your own house and shouting people to come in and steal with your horn . Recently, there is also one thing in Japan , Nizaki City, Hyogo Prefecture, Japan, said , With the city 46 Personal information of more than ten thousand people U disc 21 Daily loss , It contains the names of all citizens 、 address 、 Date of birth and amount of tax paid .

In general , Because the user password stored in the website is encrypted , So the original encrypted information has no effect . for instance , Your password is set to “123456”, The corresponding encrypted ciphertext is “abcdefg”, Even if the attacker knows your ciphertext , There is no way to log in to your account with the password of ciphertext , And as we mentioned earlier , The encryption algorithm is unidirectional , He can't restore your plaintext password with ciphertext .

however , Not being able to restore directly does not mean not being able to restore indirectly .

The simplest way we can think of is dictionary , There are only a few commonly used encryption algorithms , For example, the common md5、sha1 And so on are public . In fact, as we said before , The security of encryption algorithm is not that the algorithm itself is confidential , But even if the algorithm is public , You can't restore plaintext with ciphertext .

But what? , Although I can't restore plaintext information with this public encryption , But I can try one by one , For example, I use md5 encryption algorithm , encryption “12345” Get a ciphertext “abcde”, Re encryption “23456” Get a ciphertext “bcdef”, I put a large number of such results into the database , After getting the user's ciphertext , Take the ciphertext to check whether there is corresponding plaintext .

The disadvantage of dictionary method is that it requires a lot of storage space , So rainbow watch technology appears again , It can be seen as a further optimization of the dictionary method , Reduce the storage space needed to build the dictionary .

3. How can we protect our passwords from being stolen ？

The attack method mentioned above , The probability of success mostly depends on the security measures of the attacked website , But we can't place our hopes on others , Just like how can you think that someone can actually send their own company's database information to github Well ？ So the most important thing is , Protect yourself .

At least , Don't make low-level mistakes , Cause password disclosure .

So how do we protect our passwords ？ Here are some tips for you .

First of all , Don't use your other public information to set the password , For example, birthday 、 Mobile phone number and even ID card . Even if you want to use , You can try some changes . For example, my own bank card password is set with my mobile phone number , But it's not my own , And I used many people's mobile phone numbers , Take some numbers respectively , Make some changes , Got a number as my password .

Then someone will say , Who can remember you like this ？ you 're right , I can't remember at first , But after a few times , I remember , Now I don't remember what the transformation was , But I remember the last password .

second , Try not to provide unnecessary information to unnecessary websites . for instance , Many games require you to provide your ID card to authenticate minors , Some games I don't often play , I will use some online public ID information to input instead of my own information , Because I can't guarantee whether these websites will save my ID information .

Third , Try not to use the same password on multiple websites . A password is really easy to remember , But once the account information of a website is leaked , Your other accounts have also been leaked , Need to know , Not every website or app There are device login verification or mobile phone verification code . I suggest you use a password for unimportant websites , Set passwords for important websites . Or use a certain transformation , For example, your original password is “123”, Your Alipay password can be set to “zhifubao123”, Your wechat password can be set to “weixin123”, Of course , Just know this transformation method by yourself .

Last , Or that sentence , No one is worth believing , Any password can be leaked , Carefully protect our own information security , Being responsible for yourself is the most important .