[Password Leak] LinkedIn database hacked

<< < (4/18) > >>

Serenata:
Quote from: ErebusBat on June 06, 2012, 07:31:56 PM

Quote from: kjlimo on June 06, 2012, 07:29:22 PM

Who salts a password?  Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?


kjlimo,
It is, unfortunately, up to the website operator to do.  The safest thing you can do as a consumer is user a random password at each site.


+1
Cool tool for the job > Keepass

justusranvier:
Quote from: ErebusBat on June 06, 2012, 07:31:56 PM

The safest thing you can do as a consumer is user a random password at each site.

Doing that is much easier with a dedicated password manager, like LastPass.

Xenland:
http://CheaperInBitcoins.com salts its passwords with 254 random characters uniquly per account, along with appending another salt that is the customers ID# multiplied by an undisclosed number on top of requiring users/merchants/customers a password of 10 characters or more. so to visualise the hashing it would look something like this in pseudo code
Code:

hash("sha512", <random 254 characters> (<user_id> * <undisclosed number>) <customer/username password>)

Steve:
Quote from: gweedo on June 06, 2012, 08:16:48 PM

Quote from: mcorlett on June 06, 2012, 08:14:00 PM

Quote from: realnowhereman on June 06, 2012, 08:11:25 PM

Quote from: i_rape_bitcoins on June 06, 2012, 08:07:39 PM

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.




Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

The source is available for anyone to read.


Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved :)

Uhhh…as well as every other site where you may have happened to use the same username and password.  People really do need a way of testing whether specific passwords are in that list…because many may have forgotten what password they used (with browser autofill, etc) and if they reset it, well, that doesn't tell them which password has been compromised.  Otherwise, they may need to change every password on every site, which can be tedious.

Just more justification to use unique, generated passwords on every site.

Steve:
Quote from: AbelsFire on June 06, 2012, 09:03:20 PM

Quote from: ErebusBat on June 06, 2012, 07:31:56 PM

The safest thing you can do as a consumer is user a random password at each site.

Doing that is much easier with a dedicated password manager, like LastPass.

I prefer to use something that generates a password from a master instead of storing any passwords anywhere.  Here's one such solution:
http://passwordmaker.org/passwordmaker.html

You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere.  It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).

Navigation

[0] Message Index

[#] Next page

[*] Previous page