Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 01:35:54 -0600, Dale wrote: I use Lastpass which does about the same as other password managers. Doesn't LastPass store your passwords on their servers, and weren't they compromised last year? I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. -- Neil Bothwick You do not need a parachute to skydive. You only need a parachute to skydive twice. signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
Neil Bothwick wrote: On Tue, 17 Jan 2012 01:35:54 -0600, Dale wrote: I use Lastpass which does about the same as other password managers. Doesn't LastPass store your passwords on their servers, and weren't they compromised last year? I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. None of the passwords were lost tho. They got everyone to change them just in case but according to what I read, the hackers didn't get anything. Keep in mind, they are encrypted locally, then sent to them. They can't see the passwords either. So, Lastpass is basically the same thing you use. It just has a different name. lol Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, Jan 17, 2012 at 08:41:53AM +, Penguin Lover Neil Bothwick squawked: On Tue, 17 Jan 2012 01:35:54 -0600, Dale wrote: I use Lastpass which does about the same as other password managers. Doesn't LastPass store your passwords on their servers, and weren't they compromised last year? I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. For users of KeePassX, what are its main benefits? Best I can tell it offers a searchable GUI (is it accesible on the command line?), and AES or Twofish encryption of a database. Is there anything else special, that sets it apart from, say, the built-in encryption capabilities of vim (using blowfish)? W -- Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire et vice versa ~~~ I. Newton
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 04:27:09 -0600, Dale wrote: I use Lastpass which does about the same as other password managers. Doesn't LastPass store your passwords on their servers, and weren't they compromised last year? I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. None of the passwords were lost tho. This time. They got everyone to change them just in case but according to what I read, the hackers didn't get anything. This time. Keep in mind, they are encrypted locally, then sent to them. They can't see the passwords either. How is it encrypted? If the encryption system is not open source, it is not trustworthy. So, Lastpass is basically the same thing you use. It just has a different name. lol Not really. I wouldn't store my banking passwords anywhere online, in fact I cannot access my bank account with password alone. I also need my debit card, PIN and the card reader they supply. This generates one-time password using my card's details and no online component. I realise that card security is not the greatest, but if they've got my card and PIN, I'm screwed anyway. -- Neil Bothwick This man is depriving a village somewhere of an idiot signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 12:06:40 +0100, Willie WY Wong wrote: For users of KeePassX, what are its main benefits? Best I can tell it offers a searchable GUI (is it accesible on the command line?), and There's a command line interface out there, google for kpcli. AES or Twofish encryption of a database. Is there anything else special, that sets it apart from, say, the built-in encryption capabilities of vim (using blowfish)? It's a lot more convenient than a plain text file, but at the end of the day, both are encrypted databases. Being able to open a browser from the GUI and copying the username/password to the clipboard are handy, as is the ability to separate the entries into categories, but it's all convenience. You can do most of this with an encrypted text file and grep, although not so easily on an Android phone. -- Neil Bothwick Philosophical error: Demonstrate the existence of a key to continue signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
Neil Bothwick wrote: On Tue, 17 Jan 2012 04:27:09 -0600, Dale wrote: I use Lastpass which does about the same as other password managers. Doesn't LastPass store your passwords on their servers, and weren't they compromised last year? I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. None of the passwords were lost tho. This time. And maybe not the next time either, or the next time, or the next time. Point is, can you state for a fact that no site will ever be broke into, ever? They got everyone to change them just in case but according to what I read, the hackers didn't get anything. This time. See above. Keep in mind, they are encrypted locally, then sent to them. They can't see the passwords either. How is it encrypted? If the encryption system is not open source, it is not trustworthy. The guy that owns it posted on this list a good while back. This was before the hack job. According to the things I have read, it has been improved even more than it was. I agree open source can be good but that doesn't mean closed can't be since we don't know what it does. If we don't know, neither does the hackers. So, Lastpass is basically the same thing you use. It just has a different name. lol Not really. I wouldn't store my banking passwords anywhere online, in fact I cannot access my bank account with password alone. I also need my debit card, PIN and the card reader they supply. This generates one-time password using my card's details and no online component. I realise that card security is not the greatest, but if they've got my card and PIN, I'm screwed anyway. Well, if I understand what you call a dropbox, that is online. I have never used it so I have no idea. My bank doesn't have all that. Honestly, until it is absolutely needed, I wouldn't want to go through all that just to see if I have enough money to buy milk. :/ Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] Questions about hacked sites and passwords
Am 17.01.2012 12:14, schrieb Neil Bothwick: On Tue, 17 Jan 2012 12:06:40 +0100, Willie WY Wong wrote: For users of KeePassX, what are its main benefits? Best I can tell it offers a searchable GUI (is it accesible on the command line?), and There's a command line interface out there, google for kpcli. AES or Twofish encryption of a database. Is there anything else special, that sets it apart from, say, the built-in encryption capabilities of vim (using blowfish)? It's a lot more convenient than a plain text file, but at the end of the day, both are encrypted databases. Being able to open a browser from the GUI and copying the username/password to the clipboard are handy, as is the ability to separate the entries into categories, but it's all convenience. You can do most of this with an encrypted text file and grep, although not so easily on an Android phone. Other features: - there is an android app (read-only access for now) - there is a Windows version (including portable version for memory sticks) - it has an integrated password generator with some nice options - it allows 2-factor authentication (password + key file) for its files - it clears your clipboard after a timeout or when it is closed so that no passwords can be retrieved from it Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Questions about hacked sites and passwords
Am 17.01.2012 12:29, schrieb Dale: Neil Bothwick wrote: On Tue, 17 Jan 2012 04:27:09 -0600, Dale wrote: I use Lastpass which does about the same as other password managers. Doesn't LastPass store your passwords on their servers, and weren't they compromised last year? I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. None of the passwords were lost tho. This time. And maybe not the next time either, or the next time, or the next time. Point is, can you state for a fact that no site will ever be broke into, ever? They got everyone to change them just in case but according to what I read, the hackers didn't get anything. This time. See above. Keep in mind, they are encrypted locally, then sent to them. They can't see the passwords either. How is it encrypted? If the encryption system is not open source, it is not trustworthy. The guy that owns it posted on this list a good while back. This was before the hack job. According to the things I have read, it has been improved even more than it was. I agree open source can be good but that doesn't mean closed can't be since we don't know what it does. If we don't know, neither does the hackers. That last argument is flawed. What you describe is called security through obscurity. That violates Kerckhoffs's principle, one of the foundations of cryptography. I agree that the crypto system doesn't necessarily need to be open-source, depending on how much you trust the vendor. However, a good percentage of all security breaks are inside-jobs. This is far harder to pull off when the publish the source code or have some kind of certification process. Heck, even that might not protect you. See for example this thing: http://arstechnica.com/business/news/2012/01/device-turns-any-laptop-storage-into-a-self-encrypted-drive.ars It is NIST FIPS 140-2 level 1 certified. However, it used AES-ECB, something that is known to be far too weak for full disk encryption. It still got certified since it works as expected. In conclusion: There are lots of pitfalls and using secret crypto systems makes it impossible to check for them, even if you know your stuff. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 05:29:23 -0600, Dale wrote: None of the passwords were lost tho. This time. And maybe not the next time either, or the next time, or the next time. Point is, can you state for a fact that no site will ever be broke into, ever? No, which is why I prefer not to entrust them with sensitive data. Keep in mind, they are encrypted locally, then sent to them. They can't see the passwords either. How is it encrypted? If the encryption system is not open source, it is not trustworthy. The guy that owns it posted on this list a good while back. This was before the hack job. According to the things I have read, it has been improved even more than it was. I agree open source can be good but that doesn't mean closed can't be since we don't know what it does. If we don't know, neither does the hackers. See Florian's answer. Open sourcing the encryption method means that there can be no back doors and the many eyeballs principle applies to inadvertent security holes. Closed source means you have to have complete trust, blind faith even, in the developers to be 100% honest and 100% fault free. A friend of mine who codes for financial institutions and is an encryption uber-geek once told me the principal they use is keep the algorithm open and the keys secret. I wouldn't store my banking passwords anywhere online, in fact I cannot access my bank account with password alone. I also need my debit card, PIN and the card reader they supply. This generates one-time password using my card's details and no online component. I realise that card security is not the greatest, but if they've got my card and PIN, I'm screwed anyway. Well, if I understand what you call a dropbox, that is online. I have never used it so I have no idea. I don't store my bank details on Dropbox. My bank doesn't have all that. Honestly, until it is absolutely needed, I wouldn't want to go through all that just to see if I have enough money to buy milk. :/ I was sceptical when it first arrived, but it's really easy to use and no password needed since the card reader generates it for you. It looks like a small calculator with a card slot, so easy enough to carry around for remote access. -- Neil Bothwick Don't forget that MS-Windows is just a temporary workaround until you can switch to a GNU system. signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
On 2012-01-16 9:22 PM, Dale rdalek1...@gmail.com wrote: One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Again... passwordmaker.org (the site menu is now fixed)... It cannot 'stop working' (if a Firefox update broke it completely, you could always install an older version to use just for your passwords until it was fixed)... Also - 10 characters is *not* a very strong password these days... I use a minimum of 15, and for critical sites (banks etc), 25 characters (unless they have a max length, then I use the max)...
Re: [gentoo-user] Questions about hacked sites and passwords
On 2012-01-17 3:41 AM, Neil Bothwick n...@digimed.co.uk wrote: I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. And I'll stick with passwordmaker, which doesn't store the passwords at all, anywhere...only the account settings used to generate them, which are useless without the Master Password...
Re: [gentoo-user] Questions about hacked sites and passwords
On 2012-01-17 6:29 AM, Florian Philipp li...@binarywings.net wrote: Other features: - there is an android app (read-only access for now) As does passwordmaker (pwm) - and an iphone app too... - there is a Windows version (including portable version for memory sticks) Since it is a firefox plugin, it is supported on all platforms supported by Firefox - and I think it even works on Firefox mobile (but haven't tried it yet)... There is also a Desktop Version and an online version, and many many others: http://passwordmaker.org (look at the 'Editions')... - it has an integrated password generator with some nice options As does pwm... - it allows 2-factor authentication (password + key file) for its files That would be nice for generating passwords, but since pwm doesn't store anything (unless you tell it to - it does have the ability to store them), this isn't necessary... - it clears your clipboard after a timeout or when it is closed so that no passwords can be retrieved from it As does pwm... Pwm also will auto-populate your username/password on web forms for you.
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 07:37:38 -0500, Tanstaafl wrote: I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. And I'll stick with passwordmaker, which doesn't store the passwords at all, anywhere...only the account settings used to generate them, which are useless without the Master Password... It comes to the same thing really. whether you store the passwords themselves or the methods and data used to generate them, both systems are as strong as the master password and useless if that is compromised. So stick with whatever suits your way of working. Choice is good :) -- Neil Bothwick WinErr 01A: Operating system overwritten - Please reinstall all your software. We are terribly sorry. signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
On 2012-01-17 2:02 AM, Florian Philipp li...@binarywings.net wrote: Concerning how I'd handle it: I use app-admin/keepassx with a master password. I'd just change the random amazon password as I've not memorized it. KeePassX looks interesting, and although I dearly love pwm, there are some irritating things about it (cannot sort or easily reorder accounts for example)... but, the deal breaker for me is it apparently doesn't have the option to *not* store the passwords locally, and simply regenerate them on the fly each time... Maybe one day when I'm rich I'll commission a rewrite of PWM to fix all the niggling things about it and make it even better...
Re: [gentoo-user] Questions about hacked sites and passwords
On 2012-01-17 7:50 AM, Neil Bothwick n...@digimed.co.uk wrote: On Tue, 17 Jan 2012 07:37:38 -0500, Tanstaafl wrote: I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. And I'll stick with passwordmaker, which doesn't store the passwords at all, anywhere...only the account settings used to generate them, which are useless without the Master Password... It comes to the same thing really. whether you store the passwords themselves or the methods and data used to generate them, both systems are as strong as the master password and useless if that is compromised. So stick with whatever suits your way of working. Choice is good :) This is actually not correct... Since PWM doesn't store the passwords, there is nothing to 'crack'... there would never be any way for an attacker who got ahold of your RDF file to run an attack program against it - how would the attack program ever be able to determine 'success'?
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 07:52:56 -0500, Tanstaafl wrote: KeePassX looks interesting, and although I dearly love pwm, there are some irritating things about it (cannot sort or easily reorder accounts for example)... but, the deal breaker for me is it apparently doesn't have the option to *not* store the passwords locally, and simply regenerate them on the fly each time... PWM looks interesting too, especially the auto-completion, however there's no ebuild for the desktop client :( -- Neil Bothwick One-seventh of your life is spent on Monday. signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
is there a gal here? Érico V. Porto On Tue, Jan 17, 2012 at 11:00 AM, Tanstaafl tansta...@libertytrek.orgwrote: On 2012-01-17 7:50 AM, Neil Bothwick n...@digimed.co.uk wrote: On Tue, 17 Jan 2012 07:37:38 -0500, Tanstaafl wrote: I'll stick with KeePassX, the password database is stored and encrypted locally. Even if I put it on DropBox, hacking that will only give the encrypted database. And I'll stick with passwordmaker, which doesn't store the passwords at all, anywhere...only the account settings used to generate them, which are useless without the Master Password... It comes to the same thing really. whether you store the passwords themselves or the methods and data used to generate them, both systems are as strong as the master password and useless if that is compromised. So stick with whatever suits your way of working. Choice is good :) This is actually not correct... Since PWM doesn't store the passwords, there is nothing to 'crack'... there would never be any way for an attacker who got ahold of your RDF file to run an attack program against it - how would the attack program ever be able to determine 'success'?
Re: [gentoo-user] Questions about hacked sites and passwords
On 2012-01-17 8:03 AM, Neil Bothwick n...@digimed.co.uk wrote: PWM looks interesting too, especially the auto-completion, however there's no ebuild for the desktop client:( Yeah, but you could always just us the Firefox extension to test it our/play with it. I don't use the Desktop Edition...
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 08:00:07 -0500, Tanstaafl wrote: It comes to the same thing really. whether you store the passwords themselves or the methods and data used to generate them, both systems are as strong as the master password and useless if that is compromised. So stick with whatever suits your way of working. Choice is good :) This is actually not correct... Since PWM doesn't store the passwords, there is nothing to 'crack'... there would never be any way for an attacker who got ahold of your RDF file to run an attack program against it - how would the attack program ever be able to determine 'success'? I'm guessing to an extent here as I haven't yet tried PWM (no ebuild and I'd want a desktop client) but if the file can be read, you have the correct password, same as with KeePassX. It doesn't matter whether the file contains 4 or 2 2 +, once you can load it into PWM you can regenerate the passwords (the program would be somewhat useless otherwise). -- Neil Bothwick WinErr 008: Broken window - Watch out for glass fragments signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, 17 Jan 2012 08:14:36 -0500, Tanstaafl wrote: PWM looks interesting too, especially the auto-completion, however there's no ebuild for the desktop client:( Yeah, but you could always just us the Firefox extension to test it our/play with it. I don't use the Desktop Edition... I could be really picky and say I don't use FF either, but you'd only point to the Chrome extension :P I would want a desktop client, I use KeePassX to store more than online passwords. For that reason, I also need something that will actually store data, but it seems that PWM can do that. -- Neil Bothwick Experience is what you get when you didn't get what you wanted. signature.asc Description: PGP signature
Re: [gentoo-user] Questions about hacked sites and passwords
On Tue, Jan 17, 2012 at 12:11:14PM +, Penguin Lover Neil Bothwick squawked: I was sceptical when it first arrived, but it's really easy to use and no password needed since the card reader generates it for you. It looks like a small calculator with a card slot, so easy enough to carry around for remote access. Yours is slightly more convenient then. Mine requires a password first _then_ a challenge-response with the calculator thingie, the first step of which seems to me slightly pointless. If someone has my pin and debit card already, they can just go to the ATM and bypass the first password. W -- Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire et vice versa ~~~ I. Newton
[gentoo-user] Questions about hacked sites and passwords
Howdy, It was on the news that some company got hacked into that was related to Amazon. They said Amazon users should change their password just as a precaution. I have a questions tho. I use some pretty good passwords for the things that matter, sites such as my bank, credit card, ebay, paypal, newegg and others that may store things such as my credit card numbers. Here is a example but not a close match to a typical password: $cb78862A! According to those password strength websites, that is a great password. Fairly long and lots of assorted characters and impossible to guess since it contains no personal info such as birthdays or pets. This is fairly typical for sites that matter. I may use something simple for sites such as forums or something tho. My question. If I have a really good password and someone gets hacked, should I change the password if the passwords are still safe? In other words, they got some data such as email addys but the passwords and credit cards are still secure. Should a person change it anyway? One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
OT: Re: [gentoo-user] Questions about hacked sites and passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 1/16/2012 09:22 PM, Dale wrote: Howdy, It was on the news that some company got hacked into that was related to Amazon. They said Amazon users should change their password just as a precaution. I have a questions tho. I use some pretty good passwords for the things that matter, sites such as my bank, credit card, ebay, paypal, newegg and others that may store things such as my credit card numbers. Here is a example but not a close match to a typical password: snip My question. If I have a really good password and someone gets hacked, should I change the password if the passwords are still safe? In other words, they got some data such as email addys but the passwords and credit cards are still secure. Should a person change it anyway? One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Dale My idea on changing your passwords is that you should change your passwords every 6 months, at least since you can never know if someone has stolen the other site's user/password files (or your own). Even with password encryption/hashing, it is only a matter of time before an attacker will crack your password (even assuming a brute-force attack). Also, when you hear that a site you do personal business with, such as your bank, shopping sites, etc. has been hacked, it is a *very* good idea to change your password for that site, and related sites - for example, if you change your password for Amazon, you probably should change it for Paypal if you ever use it to pay for your purchases. It is a matter of protection (both the 6 month policy and the hacked site policy). It means that, even if a hacker got your username and (encrypted) password, and managed to brute force your password, it would not be able to be used to log in as you. Oh, and I do practice a policy that most advise against - I write down my passwords for sites, until I memorize them, and keep those papers safe. I do this because, if someone were to break into my home, all thoughts of computer security would go out the window. Chris -BEGIN PGP SIGNATURE- iEYEAREKAAYFAk8VEfEACgkQUx1jS/ORyCtIegCgjlAPcNMBTiA4fqKaFnT8bdf3 TpQAnj1hYst3EFNiIAoAHsfPG2LfXG0R =83kF -END PGP SIGNATURE- --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 120116-1, 01/16/2012 Tested on: 1/17/2012 1:15:15 AM avast! - copyright (c) 1988-2012 AVAST Software. http://www.avast.com
Re: [gentoo-user] Questions about hacked sites and passwords
Am 17.01.2012 03:22, schrieb Dale: Howdy, It was on the news that some company got hacked into that was related to Amazon. They said Amazon users should change their password just as a precaution. I have a questions tho. I use some pretty good passwords for the things that matter, sites such as my bank, credit card, ebay, paypal, newegg and others that may store things such as my credit card numbers. Here is a example but not a close match to a typical password: $cb78862A! According to those password strength websites, that is a great password. Fairly long and lots of assorted characters and impossible to guess since it contains no personal info such as birthdays or pets. This is fairly typical for sites that matter. I may use something simple for sites such as forums or something tho. My question. If I have a really good password and someone gets hacked, should I change the password if the passwords are still safe? In other words, they got some data such as email addys but the passwords and credit cards are still secure. Should a person change it anyway? One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Dale :-) :-) Well, it depends is the only answer I can really give. There are basically 4 scenarios which might have occurred: 1. Plaintext passwords were stolen. Then you should definitely change your pw. I doubt amazon is stupid enough to store passwords as plaintext, though. 2. Relatively weak password hashes were stolen, for example MD5 or sha1 with no salt. With modern PCs, it isn't too hard to brute-force against such, even without rainbow-tables. Then you should change your password but you might get lucky and don't need to. 3. Strong password hashes were used (something slow with a lot of salt, possibly without storing the salt so it has to be guessed as well). Then you don't need to change your password. 4. Something else was done. For example known-plaintext or man-in-the-middle attacks against users. Then, well, it depends again ;) Concerning how I'd handle it: I use app-admin/keepassx with a master password. I'd just change the random amazon password as I've not memorized it. Obligatory xkcd reference: http://xkcd.com/936/ (I've checked the math, he is right.) Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Questions about hacked sites and passwords
Florian Philipp wrote: Am 17.01.2012 03:22, schrieb Dale: Howdy, It was on the news that some company got hacked into that was related to Amazon. They said Amazon users should change their password just as a precaution. I have a questions tho. I use some pretty good passwords for the things that matter, sites such as my bank, credit card, ebay, paypal, newegg and others that may store things such as my credit card numbers. Here is a example but not a close match to a typical password: $cb78862A! According to those password strength websites, that is a great password. Fairly long and lots of assorted characters and impossible to guess since it contains no personal info such as birthdays or pets. This is fairly typical for sites that matter. I may use something simple for sites such as forums or something tho. My question. If I have a really good password and someone gets hacked, should I change the password if the passwords are still safe? In other words, they got some data such as email addys but the passwords and credit cards are still secure. Should a person change it anyway? One reason I ask this. I remember my passwords well. If I go to changing them every time someone gets hacked, I'll never be able to keep up with them again. I use Lastpass to remember them but it could stop working because of a upgrade or something. Then again, I could use its autogenerate thing and just HOPE for the best on upgrades. Thoughts? What do you guys, and our gal, do in situations like this? Dale :-) :-) Well, it depends is the only answer I can really give. There are basically 4 scenarios which might have occurred: 1. Plaintext passwords were stolen. Then you should definitely change your pw. I doubt amazon is stupid enough to store passwords as plaintext, though. 2. Relatively weak password hashes were stolen, for example MD5 or sha1 with no salt. With modern PCs, it isn't too hard to brute-force against such, even without rainbow-tables. Then you should change your password but you might get lucky and don't need to. 3. Strong password hashes were used (something slow with a lot of salt, possibly without storing the salt so it has to be guessed as well). Then you don't need to change your password. 4. Something else was done. For example known-plaintext or man-in-the-middle attacks against users. Then, well, it depends again ;) Concerning how I'd handle it: I use app-admin/keepassx with a master password. I'd just change the random amazon password as I've not memorized it. Obligatory xkcd reference: http://xkcd.com/936/ (I've checked the math, he is right.) Regards, Florian Philipp This is what one news source says, and they are all about the same: http://venturebeat.com/2012/01/16/zappo-hack/ I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed. What I read now is that it only affected the one site. It was early on that changing the password on Amazon was mentioned and I guess since they were not sure, it was just in case the worst happened. I use Lastpass which does about the same as other password managers. It looks now like Zappo got off sort of lucky. Their customers may get extra spam now but at least it sounds like their credit card data is safe. According to netcraft they run Linux. I wonder how they got into it? Think the admin had a really common password like god or something. lol Wasn't that in the movie Hackers? Well, I changed mine before I sent the first post, just to be sure. Of course, with my bank account, they ain't going to spend much. Certainly not worth serious jail time. o_O Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n