Florian Philipp wrote:
Am 17.01.2012 03:22, schrieb Dale:
Howdy,
It was on the news that some company got hacked into that was related to
Amazon. They said Amazon users should change their password just as a
precaution. I have a questions tho. I use some pretty good passwords
for the things that matter, sites such as my bank, credit card, ebay,
paypal, newegg and others that may store things such as my credit card
numbers. Here is a example but not a close match to a typical password:
$cb78862A!
According to those password strength websites, that is a great
password. Fairly long and lots of assorted characters and impossible to
guess since it contains no personal info such as birthdays or pets.
This is fairly typical for sites that matter. I may use something
simple for sites such as forums or something tho.
My question. If I have a really good password and someone gets hacked,
should I change the password if the passwords are still safe? In other
words, they got some data such as email addys but the passwords and
credit cards are still secure. Should a person change it anyway?
One reason I ask this. I remember my passwords well. If I go to
changing them every time someone gets hacked, I'll never be able to keep
up with them again. I use Lastpass to remember them but it could stop
working because of a upgrade or something. Then again, I could use its
autogenerate thing and just HOPE for the best on upgrades.
Thoughts? What do you guys, and our gal, do in situations like this?
Dale
:-) :-)
Well, "it depends" is the only answer I can really give. There are
basically 4 scenarios which might have occurred:
1. Plaintext passwords were stolen. Then you should definitely change
your pw. I doubt amazon is stupid enough to store passwords as
plaintext, though.
2. Relatively weak password hashes were stolen, for example MD5 or sha1
with no salt. With modern PCs, it isn't too hard to brute-force against
such, even without rainbow-tables. Then you should change your password
but you might get lucky and don't need to.
3. Strong password hashes were used (something slow with a lot of salt,
possibly without storing the salt so it has to be guessed as well). Then
you don't need to change your password.
4. Something else was done. For example known-plaintext or
man-in-the-middle attacks against users. Then, well, it depends again ;)
Concerning how I'd handle it: I use app-admin/keepassx with a master
password. I'd just change the random amazon password as I've not
memorized it.
Obligatory xkcd reference: http://xkcd.com/936/
(I've checked the math, he is right.)
Regards,
Florian Philipp
This is what one news source says, and they are all about the same:
http://venturebeat.com/2012/01/16/zappo-hack/
"I suppose the one saving grace is that the database that stores our
customers’ critical credit card and other payment data was not affected
or accessed."
What I read now is that it only affected the one site. It was early on
that changing the password on Amazon was mentioned and I guess since
they were not sure, it was just in case the worst happened.
I use Lastpass which does about the same as other password managers. It
looks now like Zappo got off sort of lucky. Their customers may get
extra spam now but at least it sounds like their credit card data is safe.
According to netcraft they run Linux. I wonder how they got into it?
Think the admin had a really common password like "god" or something.
lol Wasn't that in the movie "Hackers"?
Well, I changed mine before I sent the first post, just to be sure. Of
course, with my bank account, they ain't going to spend much. Certainly
not worth serious jail time. o_O
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you understood or how
you interpreted my words!
Miss the compile output? Hint:
EMERGE_DEFAULT_OPTS="--quiet-build=n"
