DEV Community

Cover image for Understanding Hacking 101...
Utkarsh Yadav
Utkarsh Yadav

Posted on • Edited on

Understanding Hacking 101...

Making Dope Level stuff with Programming skills is good but Protecting your users from being Hacked is Great ❤❤ ...one Important thing we should keep in mind while connecting to server-side programming is the security of Database | Passwords | User's data..
Examples of some Big firm once faced security vulnerability issues are:

  • LINKED IN - 2012 (Lots of accounts were hacked)
  • Adobe clouds - 2013

People do not know that there account are been hacked and information are sell to hack into there PayPal Account or bank accounts maybe...

Why is it that all of these big companies are getting hacked and leaking their user's passwords ?

  • Are they not at least Encrypting or hashing there passwords...? ... THEY ARE!

IMAGINE you're a hacker you hacked into the linked-In's database and you see this.
Alt Text

Notice That :

  • The arrows pointing towars hashes are identical.
  • Which means the user with the corresponding hash has same password.

Note That: Hashes are same for the same string..😢

  • Hacker would realize that these three peeps have same password .
  • He start's constructing a hash table. like below..👇👇

Alt Text

  • Compare's the hash with the password...

Alt Text

  • BOOM!💣 You've been Hacked.. 👨‍💻👨‍💻👨‍💻

What if the passwords are not same or common?

let's make a hash table...

What we Need 🤔🤔🤔

  • All words from a dictionary (150,000 Approx)
  • All numbers from telephone book (5,000,000 Approx)
  • All combinations of characters up to 6 places (19,770,609,664 Approx)

ADD THEM ALL : you got 19 billion combinations (Approx)

BUT HOW TO DO THAT...? 😖😕🤔😡🤕

you could possibly do that with one of the latest GPU's....

  • Latest GPU's can Calculate about 20,000,000,000 MD5 Hashes/second....
  • That means, we can hack that 19 Billion hashes, if we don't have common passwords among the users..
  • It would take only (0.9s Approx). 😁😁😎

Need of the hour is Protection..

  • Developers uses Salting for Encrypting their passwords..
    • SALTING : A salt is random data that is used as an additional input to a one-way function that hashes data and passwords. Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.

POINTS :

  • As the linkedin and adobe were hacked previously .... the most common passwords are been leaked and now is of NO-USE.
  • Splash Data (Has the list of Most common passwords..)
  • That's why big Companies now-a-days changes there hash functions every day..To protect their User's from being Hacked 👨‍💻👨‍💻...

POINTS FOR A DEVELOPER...

  • check security vulnerability.
  • Use High Level of Encryption such as Bcrypt
  • Use .env for protecting API keys.

    • npm i dotenv --save
    • Then make a file on your root directory. touch .env
    • open your .env file and put your secrets String inside it..
API_KEY=Awd3B26dbj126bds82dh
CLIENT_ID=w987e8yd78eh2yeh98eh083
Enter fullscreen mode Exit fullscreen mode
  • if Working with node.js
    • Add following :
  require('dotenv').config();
Enter fullscreen mode Exit fullscreen mode
  • Add Process.env.API_KEY

But your secrets are still in danger..don't worry.

  • Keeping the .env file in gitignore will save you..
  • As if you saved you secrets in a github repo .. anyone can see it..But adding the .env file to gitignore will ignore your .env file..

Stacked data needs to be protected...

Hope You have Learned Something New and Interesting..
Keep Learning..😀
Happy Hacking!!! 👨‍💻👨‍💻

Top comments (8)

Collapse
 
tahseen09 profile image
Tahseen Rahman

My understanding is during a signup, the password is saved as hash.
When the user logs in, the text input password is converted into hash and then this hash is checked with the one in database. If both matches, access granted.

How does salt come into play in all of this, and if salt changes everyday, then the hash should be different every other day for the same text.
Please correct me wherever I am wrong.

Collapse
 
tirthaguha profile image
Tirtha Guha

The salt is random. You save the salt too with your password. However, you hide the hashing algorithm.

Collapse
 
utkarshyadav profile image
Utkarsh Yadav

Agreed !

Collapse
 
angt profile image
Adrien Gallouët

Hello,
I'm surprised you didn't mention the "salt" method in your post. It is the most known technique (and very classic) to avoid the problem you are talking about.

Collapse
 
crimsonmed profile image
Médéric Burlet • Edited

I agree this is so basic. It can easilly be tested in node.js
npmjs.com/package/bcrypt

You can just do:

bcrypt.hash("myPassword", 10, function(err, hash) {
    // Store hash in your password DB.
    console.log(`hash: ${hash}`)
});

bcrypt.hash("myPassword", 10, function(err, hash) {
    // Store hash in your password DB.
    console.log(`hash2: ${hash}`)
});

The two passwords have different hashes.

Furthermore the concept of SALT is basic and easily showcased via node:

codesandbox.io/s/amazing-almeida-b...

I also don't see why this is tagged #javascript when there is no code in the thread

Collapse
 
utkarshyadav profile image
Utkarsh Yadav

Thanks @Médéric Burlet ❤
For helping people understand what Salt is...😊
And also thanks for contributing your code Example in this thread..

Tag is a keyword or term assigned to a piece of information. A kind of metadata helps describe an item and allows it to be found again by browsing or searching.

So. I did tagged JavaScript.... for helping other user find this post intact with JavaScript Keyword ...

And my purpose was not to explain only what salting is.. But how these stuff happens.. (ONLY BASICs) .

Thread Thread
 
crimsonmed profile image
Médéric Burlet

I think you dont have to put the code but explaining how to overcome the problem with salt is a good conclusion to the article. You can explain the generic concept how you add some random string to the original password and hash that so there is randomness in the password.

Of course salting has to be done properly and be secured in it's own way. This is why Bcrypt is very practical.

Collapse
 
utkarshyadav profile image
Utkarsh Yadav

Hi,
Ya.. you are right though.... But I thought Talking about Salting and Bcrypt would be better if, it would be explained using some Node.JS examples and implementations .. But yes, I am pretty sure that giving a Breif about it wouldn’t be wrong...
Thanks for recommendation