Am 17.01.2012 03:22, schrieb Dale: > Howdy, > > It was on the news that some company got hacked into that was related to > Amazon. They said Amazon users should change their password just as a > precaution. I have a questions tho. I use some pretty good passwords > for the things that matter, sites such as my bank, credit card, ebay, > paypal, newegg and others that may store things such as my credit card > numbers. Here is a example but not a close match to a typical password: > > $cb78862A! > > According to those password strength websites, that is a great > password. Fairly long and lots of assorted characters and impossible to > guess since it contains no personal info such as birthdays or pets. > This is fairly typical for sites that matter. I may use something > simple for sites such as forums or something tho. > > My question. If I have a really good password and someone gets hacked, > should I change the password if the passwords are still safe? In other > words, they got some data such as email addys but the passwords and > credit cards are still secure. Should a person change it anyway? > > One reason I ask this. I remember my passwords well. If I go to > changing them every time someone gets hacked, I'll never be able to keep > up with them again. I use Lastpass to remember them but it could stop > working because of a upgrade or something. Then again, I could use its > autogenerate thing and just HOPE for the best on upgrades. > > Thoughts? What do you guys, and our gal, do in situations like this? > > Dale > > :-) :-) >
Well, "it depends" is the only answer I can really give. There are basically 4 scenarios which might have occurred: 1. Plaintext passwords were stolen. Then you should definitely change your pw. I doubt amazon is stupid enough to store passwords as plaintext, though. 2. Relatively weak password hashes were stolen, for example MD5 or sha1 with no salt. With modern PCs, it isn't too hard to brute-force against such, even without rainbow-tables. Then you should change your password but you might get lucky and don't need to. 3. Strong password hashes were used (something slow with a lot of salt, possibly without storing the salt so it has to be guessed as well). Then you don't need to change your password. 4. Something else was done. For example known-plaintext or man-in-the-middle attacks against users. Then, well, it depends again ;) Concerning how I'd handle it: I use app-admin/keepassx with a master password. I'd just change the random amazon password as I've not memorized it. Obligatory xkcd reference: http://xkcd.com/936/ (I've checked the math, he is right.) Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
