1 |
Florian Philipp wrote: |
2 |
> Am 17.01.2012 03:22, schrieb Dale: |
3 |
>> Howdy, |
4 |
>> |
5 |
>> It was on the news that some company got hacked into that was related to |
6 |
>> Amazon. They said Amazon users should change their password just as a |
7 |
>> precaution. I have a questions tho. I use some pretty good passwords |
8 |
>> for the things that matter, sites such as my bank, credit card, ebay, |
9 |
>> paypal, newegg and others that may store things such as my credit card |
10 |
>> numbers. Here is a example but not a close match to a typical password: |
11 |
>> |
12 |
>> $cb78862A! |
13 |
>> |
14 |
>> According to those password strength websites, that is a great |
15 |
>> password. Fairly long and lots of assorted characters and impossible to |
16 |
>> guess since it contains no personal info such as birthdays or pets. |
17 |
>> This is fairly typical for sites that matter. I may use something |
18 |
>> simple for sites such as forums or something tho. |
19 |
>> |
20 |
>> My question. If I have a really good password and someone gets hacked, |
21 |
>> should I change the password if the passwords are still safe? In other |
22 |
>> words, they got some data such as email addys but the passwords and |
23 |
>> credit cards are still secure. Should a person change it anyway? |
24 |
>> |
25 |
>> One reason I ask this. I remember my passwords well. If I go to |
26 |
>> changing them every time someone gets hacked, I'll never be able to keep |
27 |
>> up with them again. I use Lastpass to remember them but it could stop |
28 |
>> working because of a upgrade or something. Then again, I could use its |
29 |
>> autogenerate thing and just HOPE for the best on upgrades. |
30 |
>> |
31 |
>> Thoughts? What do you guys, and our gal, do in situations like this? |
32 |
>> |
33 |
>> Dale |
34 |
>> |
35 |
>> :-) :-) |
36 |
>> |
37 |
> Well, "it depends" is the only answer I can really give. There are |
38 |
> basically 4 scenarios which might have occurred: |
39 |
> |
40 |
> 1. Plaintext passwords were stolen. Then you should definitely change |
41 |
> your pw. I doubt amazon is stupid enough to store passwords as |
42 |
> plaintext, though. |
43 |
> |
44 |
> 2. Relatively weak password hashes were stolen, for example MD5 or sha1 |
45 |
> with no salt. With modern PCs, it isn't too hard to brute-force against |
46 |
> such, even without rainbow-tables. Then you should change your password |
47 |
> but you might get lucky and don't need to. |
48 |
> |
49 |
> 3. Strong password hashes were used (something slow with a lot of salt, |
50 |
> possibly without storing the salt so it has to be guessed as well). Then |
51 |
> you don't need to change your password. |
52 |
> |
53 |
> 4. Something else was done. For example known-plaintext or |
54 |
> man-in-the-middle attacks against users. Then, well, it depends again ;) |
55 |
> |
56 |
> Concerning how I'd handle it: I use app-admin/keepassx with a master |
57 |
> password. I'd just change the random amazon password as I've not |
58 |
> memorized it. |
59 |
> |
60 |
> Obligatory xkcd reference: http://xkcd.com/936/ |
61 |
> (I've checked the math, he is right.) |
62 |
> |
63 |
> Regards, |
64 |
> Florian Philipp |
65 |
> |
66 |
|
67 |
This is what one news source says, and they are all about the same: |
68 |
|
69 |
http://venturebeat.com/2012/01/16/zappo-hack/ |
70 |
|
71 |
"I suppose the one saving grace is that the database that stores our |
72 |
customers’ critical credit card and other payment data was not affected |
73 |
or accessed." |
74 |
|
75 |
What I read now is that it only affected the one site. It was early on |
76 |
that changing the password on Amazon was mentioned and I guess since |
77 |
they were not sure, it was just in case the worst happened. |
78 |
|
79 |
I use Lastpass which does about the same as other password managers. It |
80 |
looks now like Zappo got off sort of lucky. Their customers may get |
81 |
extra spam now but at least it sounds like their credit card data is safe. |
82 |
|
83 |
According to netcraft they run Linux. I wonder how they got into it? |
84 |
Think the admin had a really common password like "god" or something. |
85 |
lol Wasn't that in the movie "Hackers"? |
86 |
|
87 |
Well, I changed mine before I sent the first post, just to be sure. Of |
88 |
course, with my bank account, they ain't going to spend much. Certainly |
89 |
not worth serious jail time. o_O |
90 |
|
91 |
Dale |
92 |
|
93 |
:-) :-) |
94 |
|
95 |
-- |
96 |
I am only responsible for what I said ... Not for what you understood or how you interpreted my words! |
97 |
|
98 |
Miss the compile output? Hint: |
99 |
EMERGE_DEFAULT_OPTS="--quiet-build=n" |