[Password Leak] LinkedIn database hacked

<< < (5/19) > >>

Xenland:
http://CheaperInBitcoins.com salts its passwords with 254 random characters uniquly per account, along with appending another salt that is the customers ID# multiplied by an undisclosed number on top of requiring users/merchants/customers a password of 10 characters or more. so to visualise the hashing it would look something like this in pseudo code
Code:

hash("sha512", <random 254 characters> (<user_id> * <undisclosed number>) <customer/username password>)

Steve:
Quote from: gweedo on June 06, 2012, 08:16:48 PM

Quote from: mcorlett on June 06, 2012, 08:14:00 PM

Quote from: realnowhereman on June 06, 2012, 08:11:25 PM

Quote from: i_rape_bitcoins on June 06, 2012, 08:07:39 PM

"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."

browser hashes password -----sends to server-----> server replies if hash matches.




Oh that's okay then... as long as it says "we're honest" on the website, it must be fine.

The source is available for anyone to read.


Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved :)

Uhhh…as well as every other site where you may have happened to use the same username and password.  People really do need a way of testing whether specific passwords are in that list…because many may have forgotten what password they used (with browser autofill, etc) and if they reset it, well, that doesn't tell them which password has been compromised.  Otherwise, they may need to change every password on every site, which can be tedious.

Just more justification to use unique, generated passwords on every site.

Steve:
Quote from: AbelsFire on June 06, 2012, 09:03:20 PM

Quote from: ErebusBat on June 06, 2012, 07:31:56 PM

The safest thing you can do as a consumer is user a random password at each site.

Doing that is much easier with a dedicated password manager, like LastPass.

I prefer to use something that generates a password from a master instead of storing any passwords anywhere.  Here's one such solution:
http://passwordmaker.org/passwordmaker.html

You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere.  It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).

justusranvier:
Quote from: Steve on June 06, 2012, 09:16:04 PM

You enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere.  It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course).
I used a tool like that before but found it more convenient to use a tool that came with plugins for every browser I use including Android. I want my password manager to Just Work no matter which browser I am using so I've found it to be easier to disable the built-in managers and just use the LastPass plugin for everything.

Herodes:
Cool thing is that linkedln easily could rename their service to leakedln. Whoever used linkedln anyway ?

Navigation

[0] Message Index

[#] Next page

[*] Previous page