CEP Statement on Twitter’s Suspension of Extremist... » New York, NY: The Counter Extremism Project released the following statement in response to Twitter’... RiskIQ accelerates momentum across entire extern... » London, UK: RiskIQ has announced year-over-year bookings growth of 80 percent, dominating the extern... Interserve chooses Sopra Steria to transform ... » London: Sopra Steria has recently signed a major IT managed services contract with Interserve PLC to... Arista expands to next-generation telemetry » SANTA CLARA, Calif: Arista Networks (NYSE:ANET) today announced next-generation telemetry and analyt... VIOLATION OF INNOCENCE » This poem was written in 2007 and since then has been published and republished on Vigilance many ... NSFOCUS continues Middle East commitment in partne... » NSFOCUS IB has confirmed its new partnership with MDS Computers, continuing its expansion into the M... Xceed Group prepares RFIB for IT service growth » London, UK:  London-based Xceed Group has helped RFIB Group Limited to select an Infrastructure as a... Varonis helps Miramax control and secure valuabl... » London, UK: Varonis Systems, Inc. has released details on how Miramax relies on Varonis solutions to... TDSi awards AlertSystems ‘Platinum Partner of th... » Poole: Integrated security manufacturer TDSi has awarded AlertSystems its ‘Platinum Partner of the Y... Virgin Trains welcomes decision to suspend indus... » The union suspended the walk-outs yesterday after Virgin Trains repeated its assurances to the union...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

A new attack makes some password cracking faster, easier than ever. A researcher has devised a method that reduces the time and resources required to crack passwords that are protected by the SHA1 cryptographic algorithm.

Tal Be'ery, Web Researcher at Imperva has looked into the SHA1 methodology and why companies should stay clear of using this method to protect passwords:

 

"First, some context. One of the main use cases for hashing function, such as the SHA-1 function, is to store passwords securely. When attackers obtain such hashed password, they need to launch a “brute force” attack against it, in order to reveal the password. “Brute force” means, they need to repeatedly guess the password, apply the hashing function on it and compare the result with their hash password they have. The security researcher has found an algorithmic shortcut in SHA-1 calculation that makes the computation easier, thus reducing the time needed to successfully “brute force” an attack.

The corollary? In case the hashing is done for security (e.g. hash user passwords, verify data integrity, etc.):

MD5 is dead and should never be used.

SHA-1 is going in the same direction. Consider an upgrade of existing systems and definitely don't use it for new systems.

A smart choice would be to follow the U.S. National Institute of Standards and Technology (NIST) recommendation for federal agencies: "Federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance."

Best option? Use a hash function from SHA-2 family, such as the SHA256."