aaronburro Sup, B 53065 Posts user info edit post |
i know it's *old* by interweb standards, but if any of you people use LinkedIn, you should change your password, and maybe change other passwords to accounts associated with your email address.
http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html
This notice was brought to you by your friendly neighborhood aaronburro ] 6/7/2012 4:36:39 PM |
pilgrimshoes Suspended 63151 Posts user info edit post |
after trying to remember my password in order to log in to this silly site, i got in and i saw this, which i don't remember from before:
Quote : | "Your email is safe with us! We will not store your password or email anyone without your permission. " |
casually near the "see who you already know" section, got a chuckle
and changed my password6/7/2012 4:39:48 PM |
ApexDave Veteran 143 Posts user info edit post |
Well it's technically true. They did not store the password... just a SHA hash.. that wasn't salted.
http://leakedin.org/
That site lets you put in your password or SHA-1 hash value to see if it was in the leak. 6/7/2012 6:09:31 PM |
CaelNCSU All American 7082 Posts user info edit post |
I for one always type my password into random sites. 6/7/2012 6:19:32 PM |
Prospero All American 11662 Posts user info edit post |
iamgod
"Your password was leaked and cracked. Sorry, friend."
asdfjkl;
"Your password was leaked and cracked. Sorry, friend."
[Edited on June 7, 2012 at 7:37 PM. Reason : .] 6/7/2012 7:36:54 PM |
smoothcrim Universal Magnetic! 18966 Posts user info edit post |
skeet Looks like your password was not leaked. Hooray! penis Looks like your password was not leaked. Hooray! 6/7/2012 7:45:27 PM |
Kickstand All American 11596 Posts user info edit post |
password1
"Your password was leaked and cracked. Sorry, friend." 6/7/2012 10:35:43 PM |
ThePeter TWW CHAMPION 37709 Posts user info edit post |
Quote : | "cc8f461bc483d23e5fcc2d999b70fe65e381aa3a" |
Quote : | " Looks like your password was not leaked. Hooray! " |
6/7/2012 10:40:05 PM |
BobbyDigital Thots and Prayers 41777 Posts user info edit post |
fucknut
"Your password was leaked and cracked. Sorry, friend." 6/7/2012 11:54:27 PM |
jaZon All American 27048 Posts user info edit post |
blowme was leaked 6/8/2012 12:12:05 AM |
lewisje All American 9196 Posts user info edit post |
obvs. hash is better salted
om nom nom
on a more serious note, p=====B ~ `o->-< was also cracked from a separate leak (near bottom): http://xdecrypt.com/google-sha1-a45c-3 6/8/2012 1:25:24 AM |
pttyndal WINGS!!!!! 35217 Posts user info edit post |
looks like last.fm got hacked too
http://www.pcworld.com/article/257178/music_site_lastfm_joins_the_passwordleak_parade.html 6/8/2012 8:22:04 AM |
wolfpackgrrr All American 39759 Posts user info edit post |
Good thing I deleted my LinkedIn account years ago. I got tired of all their stupid spam. 6/8/2012 9:08:01 AM |
lewisje All American 9196 Posts user info edit post |
I'm seriously thinking about moving to bcrypt: http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/ Too bad my host hasn't upgraded its FastCGI variant of PHP to version 5.3 or 5.4, or else I would feel more comfortable installing this: http://www.openwall.com/phpass/
Instead I moved a site I maintain from a singly randomly-salted MD5 to a Whirlpool-based HMAC: https://secure.wikimedia.org/wikipedia/en/wiki/HMAC
I know I've posted this pic before, and again, although the example uses SHA-1, any hash will do for the illustration of a HMAC: http://thewolfweb.com/message_topic.aspx?topic=617783&page=1#14958141 6/11/2012 6:24:00 AM |
EuroTitToss All American 4790 Posts user info edit post |
Quote : | "I'm seriously thinking about moving to bcrypt: " |
I read Hacker News quite a bit and the funny thing is people will already call you an idiot for using bcrypt instead of scrypt (which has only been out 3 years). They obviously don't give a shit there are no publicized scrypt implementations for PHP.
I'm wondering if I should try writing one myself. It's stupid as hell writing your own crypto, but I bet other people would want it.6/11/2012 8:36:48 AM |
lewisje All American 9196 Posts user info edit post |
Maybe I should take the C code from the Debian FTP: http://ftp.de.debian.org/debian/pool/main/s/scrypt/
or the main site: http://www.tarsnap.com/scrypt.html
and make me a CGI program that can be called from PHP 6/11/2012 9:50:46 AM |
Str8BacardiL ************ 41753 Posts user info edit post |
I just tried to log in.
Quote : | "Sorry, we need you to reset your password as a security precaution.
We've sent you an email that will allow you to reset your password quickly and easily. Please check your email now. " |
6/11/2012 10:31:16 AM |
lewisje All American 9196 Posts user info edit post |
wait wait wait
I just found out that the aforementioned site's host used the Suhosin Patch on PHP 5.2: http://www.hardened-php.net/suhosin/
now imago switch us all over to bcrypt
[Edited on June 11, 2012 at 10:54 AM. Reason : nm it has Suhosin but CRYPT_BLOWFISH==0 6/11/2012 10:33:02 AM |
lewisje All American 9196 Posts user info edit post |
o lookie, scrypt is available for Python: http://pypi.python.org/pypi/scrypt/0.5.4 and Haskell: http://hackage.haskell.org/package/scrypt-0.3.2 and Windows Phone 7 and Silverlight 3-5: http://www.nuget.org/packages/DH.Scrypt.dll 6/11/2012 11:07:38 AM |
BobbyDigital Thots and Prayers 41777 Posts user info edit post |
I'll just take this opportunity to repost this classic and informative XKCD
6/11/2012 11:18:42 AM |
Arab13 Art Vandelay 45180 Posts user info edit post |
Very true. 6/11/2012 11:37:09 AM |
Ernie All American 45943 Posts user info edit post |
lewisje has a lot of acronyms and links
He must be very smart 6/11/2012 11:44:51 AM |
quagmire02 All American 44225 Posts user info edit post |
it's stuff like this that continues to amaze me6/11/2012 2:15:51 PM |
lewisje All American 9196 Posts user info edit post |
^indeed, and you'd think that a site used by, among others, security professionals to network would have figured out the sort of thing that is built into Zen Cart and phpBB
^^most of those initialisms (okay, SHA is an acronym) are in common use... PHP - PHP: Hypertext Parser, the most common server-side scripting language on the Web: http://php.net/ CGI - Common Gateway Interface, the means by which a Web server can send certain files (like .php files) off to server-side executables (like the php program) for processing, before sending the output to the user FTP - File Transfer Protocol, a simple protocol for sending files between a local computer and a remote server SHA - Secure Hash Algorithm, one of a series of cryptographic hash algorithms approved by NIST (the National Institute of Standards and Technology) for ensuring the integrity of data transmission; the original was quickly shown to be flawed, the next (SHA-1) took longer to show any weakness, and although the SHA-2 suite has no known efficiently-exploitable weaknesses, NIST isn't waiting around for one to show up and has already announced a competition, to be completed sometime this year, for an even more secure hash suite to be denoted "SHA-3" XOR - In the picture although not in my previous posts ITT, "eXclusive OR" can be thought of as the bitwise addition modulo 2 (addition of binary numbers without carry), or the logical operator that returns "true" if and only if the two operands have different truth values; for the purpose of cryptography, it's the former. HMAC - Hash-based Message Authentication Code, usually used in TLS (Transport-Layer Security, f.k.a. SSL or "Secure Sockets Layer") to provide confirmation of integrity via the hashing and authenticity via the use of that shared key, in a way that prevents an attacker from determining the key itself, but also usable as a more convoluted variant of a salted hash for storing passwords MD5 - Message Digest 5, an algorithm developed by Ron Rivest, who also co-developed the RSA (Rivest-Shamir-Adleman) encryption algorithm; after it was discovered to be vulnerable, he developed MD6 and briefly submitted it to the first round of the aforementioned NIST competition, and he also developed the RC4 encryption cipher ("Rivest Cipher 4," used in WEP, "Wired Equivalent Privacy," and also found to be insecure) and co-developed its latest successor RC6, which is patented by his firm, RSA Security also RSA was first thout up by a guy named Cocks (lol) but he had to keep it under wraps because he worked for a British intelligence agency
^^^The comic was about making a password that is tough to crack for those who don't have access to the hash, not about using a hashing method that is resistant to cracking; however, for hashes that are either unsalted or salted with a common salt, more-common passwords are more vulnerable to rainbow tables.
[Edited on June 11, 2012 at 2:58 PM. Reason : also GNU's Not Unix lol 6/11/2012 2:53:02 PM |
Ernie All American 45943 Posts user info edit post |
Quote : | "PHP - P Hypertext Parser," |
Wrong, motherfucker.
It's not that I don't know what these mean. I use many of these technologies on a daily basis. It's just that you sound like an absolute turd trying shove way too much lingo into every sentence.
[Edited on June 11, 2012 at 2:57 PM. Reason : ]6/11/2012 2:55:12 PM |
lewisje All American 9196 Posts user info edit post |
I used those terms to describe my thoughts in a concise manner; it's much better than "that doohickey thurr" or vague language like "an even stronger hash," and it's not like I'm using intentionally flashy language like a typical "Web 2.0 SEO viral monetization ninja" to cover up the lack of substantive content. 6/11/2012 3:03:18 PM |
Ernie All American 45943 Posts user info edit post |
Still a turd
[Edited on June 11, 2012 at 3:13 PM. Reason : Usually it's obvious that you barely have even a shallow understanding of the technology when you po]
[Edited on June 11, 2012 at 3:13 PM. Reason : st shit like "WinMerge4Lyfe"] 6/11/2012 3:12:13 PM |
EuroTitToss All American 4790 Posts user info edit post |
holy fuck 6/11/2012 3:28:26 PM |
lewisje All American 9196 Posts user info edit post |
^^I was trying to be funny; the real reason I use that free merge program is that it is free.
[Edited on June 11, 2012 at 5:35 PM. Reason : Now if there were a free three-way comparison tool for Windows... 6/11/2012 5:35:01 PM |