It is safe to say that the world of internet is literally nothing without the content that we find on it in our everyday life. So, while safeguarding the content with impeccable security standards is a necessity, a latest study has discovered that the most popular content management systems (CMS) on the web are actually protecting the passwords of their users with insecure algorithms.
The research has been done by three researchers from the Department of Digital Systems at the University of Piraeus in Greece who thoroughly tested a number of CMS, just to ensure how well such systems hashed the passwords.
For those of you who are still new to hashing the passwords, it is basically a mathematical function that converts your password into a code. The process works as a one-way street in which the alphanumeric string like your password gets converted into another string called digest. Once this is done, someone can calculate digest from the password but it becomes impossible to calculate password using digest.
This function showcases its value right at the time when users log in with their credential details, the web application hashes the password on spot and matches it with the permanent digest. Hence, if hackers even break into the database of passwords, they still won’t be able to extract much information.
The recent news has revealed that modern CMS systems are using outdated hash functions and due to this, the privacy of users and the content itself is at great risk.
Going into the depth of the detail they explained that not all hashing functions can work equally well. The researchers found out that MD5 and SHA-1 has always been the main culprit behind this weakness. An effective hashing function is supposed to generate a unique digest for every different input by the user. Doing so would make sure that no two passwords produce the same digest but that happened with the first successful collision attack against MD5 was carried out in 1996 and how MD5 collisions are now more common.
On the other hand, SHA-1 was considered to be a genius replacement of MD5 but only till the time it became totally obsolete.
The team looked at 49 content management systems and 47 web application frameworks. In the final results, it was proven that 26.5% of them used MD5. This list included osCommerce, SuiteCRM, WordPress, X3cms, SugarCRM, CMS Made simple, MantisBT, Simple Machines, miniBB, Phorum, MyBB, Observium, and Composr. While a further 12.2% of them used SHA-1. with GetSimple CMS, Redmine, Collabtive, PunBB, Pligg, and Omeka.
The worst thing is that collision attacks aren’t the only danger to hashing functionality. The graphical processing units, which eventually divides the processing power to the many processing cores, can also be targeted. Moreover, sites which had loose password policies and not salt, there were random hash iterations as well.
This leads us to another important aspect of hashing the passwords - salt. It is a random string of data that is based on different hashes for similar passwords. Hashing function gets mixed with salt over and over again to make the password secure and process computationally expensive. Each of these rounds in which hash gets mixed with salt is called iteration.
If the number of iterations are more, it then becomes a bit difficult for password cracking computers to develop password matches at a rapid pace.
Some of the systems under consideration had wMD5 or SHA-1 on it, but they were still at risk by not using salt or iterations. The list included big names like X3cms 0.5.3, GetSimple, MiniBB 3.2.2, and Phorum.
Whereas, on the other side the most secure CMS systems from a hashing perspective were protected with bcrypt - a password hashing function that is resistant to GPU-based parallel computing cracks. In this list of nice, researchers found out systems like Joomla, Zurmo, OrangeHRM, SilverStripe, Elgg, XOOPS, e107, NodeBB, Concrete5, phpBB, Vanilla Forums, Ushahidi, Lime Survey, Mahara, Mibew, vBulletin, OpenCart, PrestaShop, and Moodle.
This weakness in hashing overall determines how quickly an attacker can get through the password database to steal details or guess the passwords during the login attempt. Hence, an overall revamp is still required for safety of users and content as well.
Read next: The U.S. sees a loss of over $1.5 trillion through a decade of data breaches
Featured illustration: Freepik.
The research has been done by three researchers from the Department of Digital Systems at the University of Piraeus in Greece who thoroughly tested a number of CMS, just to ensure how well such systems hashed the passwords.
For those of you who are still new to hashing the passwords, it is basically a mathematical function that converts your password into a code. The process works as a one-way street in which the alphanumeric string like your password gets converted into another string called digest. Once this is done, someone can calculate digest from the password but it becomes impossible to calculate password using digest.
This function showcases its value right at the time when users log in with their credential details, the web application hashes the password on spot and matches it with the permanent digest. Hence, if hackers even break into the database of passwords, they still won’t be able to extract much information.
The recent news has revealed that modern CMS systems are using outdated hash functions and due to this, the privacy of users and the content itself is at great risk.
Going into the depth of the detail they explained that not all hashing functions can work equally well. The researchers found out that MD5 and SHA-1 has always been the main culprit behind this weakness. An effective hashing function is supposed to generate a unique digest for every different input by the user. Doing so would make sure that no two passwords produce the same digest but that happened with the first successful collision attack against MD5 was carried out in 1996 and how MD5 collisions are now more common.
On the other hand, SHA-1 was considered to be a genius replacement of MD5 but only till the time it became totally obsolete.
The team looked at 49 content management systems and 47 web application frameworks. In the final results, it was proven that 26.5% of them used MD5. This list included osCommerce, SuiteCRM, WordPress, X3cms, SugarCRM, CMS Made simple, MantisBT, Simple Machines, miniBB, Phorum, MyBB, Observium, and Composr. While a further 12.2% of them used SHA-1. with GetSimple CMS, Redmine, Collabtive, PunBB, Pligg, and Omeka.
The worst thing is that collision attacks aren’t the only danger to hashing functionality. The graphical processing units, which eventually divides the processing power to the many processing cores, can also be targeted. Moreover, sites which had loose password policies and not salt, there were random hash iterations as well.
This leads us to another important aspect of hashing the passwords - salt. It is a random string of data that is based on different hashes for similar passwords. Hashing function gets mixed with salt over and over again to make the password secure and process computationally expensive. Each of these rounds in which hash gets mixed with salt is called iteration.
If the number of iterations are more, it then becomes a bit difficult for password cracking computers to develop password matches at a rapid pace.
Some of the systems under consideration had wMD5 or SHA-1 on it, but they were still at risk by not using salt or iterations. The list included big names like X3cms 0.5.3, GetSimple, MiniBB 3.2.2, and Phorum.
Whereas, on the other side the most secure CMS systems from a hashing perspective were protected with bcrypt - a password hashing function that is resistant to GPU-based parallel computing cracks. In this list of nice, researchers found out systems like Joomla, Zurmo, OrangeHRM, SilverStripe, Elgg, XOOPS, e107, NodeBB, Concrete5, phpBB, Vanilla Forums, Ushahidi, Lime Survey, Mahara, Mibew, vBulletin, OpenCart, PrestaShop, and Moodle.
This weakness in hashing overall determines how quickly an attacker can get through the password database to steal details or guess the passwords during the login attempt. Hence, an overall revamp is still required for safety of users and content as well.
Read next: The U.S. sees a loss of over $1.5 trillion through a decade of data breaches
Featured illustration: Freepik.
