[OP]
Contributor
Back in May we were chatting about password managers.
I said it doesn't make a difference when companies give away millions of passwords. I was told I was naive and grossly unfair.
Now look.
JPMorgan Chase gave away 76 million. I know people who have that card.
Again, we could have a 256-character password, but it wouldn't matter. Chase handed over 76 million.
http://dealbook.nytimes.com/2014/10/...2&nlid=1451445
Member
I agree... "Gave away", or "handed over" is a bit naive and unfair. No software system is bug free. There are many talented crooks working every day to break into any system that appears to have any value at all.
If you don't trust the technology, don't use it. That's my advice and it's probably worth what you paid for it!
Do remember that every time you hand someone a check, you just handed them you bank routing number and account number... guess that leaves cash... there are people who will kill for that(or less) also.
Last edited by Duane Meadows; 10-02-2014 at 8:50 PM.
Member
Its about time. I hope they do it to all others
Contributor
My understanding in the Chase case is that no passwords or account numbers got taken. Still a big deal regardless.
Contributor
Even if a username/password database were stolen, I think it's still worthwhile to not use "password" everywhere. I certainly hope no responsible institution stores user data unencrypted. It takes a lot more 'horsepower' to decrypt a 64 character random password using letters, number and symbols than it does to decrypt a 8 character word found in most cracker dictionaries. A bad guy who can decrypt 90% of a stolen password database in a week may not spend a few months hammering on remaining 10%.
Contributor
I love how people are saying these databases should have no Internet access. How exactly does online banking work without access to this information? Yes, you can have separate networks, but at least one server has to have access to both networks in order to make online banking work.
Contributor
Apparently it doesn't take much to decrypt a 55 character PW.Originally Posted by Curt Harms
http://www.zdnet.com/password-breake...es-7000019891/
By the way, it happened in July.
Last edited by Myk Rian; 10-03-2014 at 11:07 AM.
Never, under any circumstances, consume a laxative and sleeping pill, on the same night
Contributor
We can only change what we have control of. Most of us have no control over the security of password databases. The only thing that I can think of to reduce the liklihood of a stolen password being used is to use a password manager so you only have to remember one somewhat complex password. Have two databases, one important which would likely be fairly small and one of less consequence. The important database would be stuff like banking, health related, insurance. Maybe Amazon & Paypal because they keep credit cards on file or are tied into bank accounts. Maybe change those passwords every 90 days or so. I wonder what the time typically is between a database being hacked and the stolen information being used?
Last edited by Curt Harms; 10-04-2014 at 8:34 AM.
Member
The application (Hashcat) only works when the attacker actually has access to the hashed password it's trying to guess. Without that starting point, the Hashcat isn't as much of a threat as it sounds.
Creating multiple, difficult to guess login IDs is also a good idea.
Last edited by Peter Kelly; 10-04-2014 at 9:57 AM.
Moderator
Best I can tell is that a lot of this is based on things we have nothing to do with. If we used the best passwords available and the site we're logging into doesn't use the best practices, it's all meaningless.
On my Mac's, it has a password creation and storing tool. It creates passwords that are pure gibberish, with dashes, numbers, letters, etc. I couldn't remember one if I wrote it down. It works across devices, so if I create the account on my desktop, then use my laptop, phone, or tablet, it knows the password. I started using it not long ago and was quite pleased with never having to remember another password, then I went to a site that I thought should be fairly secure and it when I told it to generate a password for me, it did, and I submitted it, only to have the site reject the password for it's use of characters. End the end, I had to dumb it down and manually enter a password that I felt wasn't nearly as secure, which concerned me slightly.
Lasers : Trotec Speedy 300 75W, Trotec Speedy 300 80W, Galvo Fiber Laser 20W
Printers : Mimaki UJF-6042 UV Flatbed Printer , HP Designjet L26500 61" Wide Format Latex Printer, Summa S140-T 48" Vinyl Plotter
Router : ShopBot 48" x 96" CNC Router Rotary Engravers : (2) Xenetech XOT 16 x 25 Rotary Engravers
Real name Steve but that name was taken on the forum. Used Middle name. Call me Steve or Scott, doesn't matter.
Contributor
I just have to wonder if you actually read the whole article you referenced. It clearly says that passwords were not part of the booty.
Saying they gave away anything is like saying you gave away your goods to the thief that picked the lock on your front door.
While I agree that some companies take a lax approach to security, I think most do not. It is not in their self interest to do so. The sad fact is that any system can be breached given enough talent and time.
Contributor
I guess I dont understand your point.
Member
They claim that no info you couldn't find in the phone book was lost, and no accounts have been abused.
Why would they lie?
Member
Right. And good luck remembering a 64 character random password, much less remembering multiple different such passwords. Contrary requirements. Something memorable versus something robust.
It came to pass...
"Curiosity is the ultimate power tool." - Roy Underhill
The road IS the destination.
Contributor
Question.
I am not computer literate at all. We try to have passwords on anything important, but there are a lot of places, like this forum, where I am giving away no info that cannot be found easily.
In that situation, does it really matter if I use a simple password?
Posting Permissions
Reply With Quote