More than eight million email addresses, usernames and password hashes from German gaming website Gamigo have been dumped online, months after the site was hacked. A 500MB file containing 8.2 million Gamigo user login credentials was uploaded and publicised via a post to password-cracking forum Inside Pro, according to the data …
"It's unclear why the person who uploaded the list waited so long to spill the goodies after the original breach" - Really slow upload rate?
Surely you mean they must have been using <insert readers ISP>? (judging by comments on most ISP related articles it seems most readers seem to chose to give their money to ISPs they think are a load of crap)
You can here the sound in the admins head as the bell rings and he says to himself: "Ohhhh Fuck, why me....."
I like the way hackers talk with such superiority when it comes to describing how stupid people are when managing data. I know a guy who like to hack and he is just the same. i.e. cracking this MD5 was childsplay, they might as well have stored the passwords in plain text.
"There’s no excuse for using encryption this weak; it’s just bad security."
Calling the MD5 hash function "encryption" is just fuzzy terminology.
Where's the salt?
Not merely fuzzy terminology.
Not coming from the CTO of a "network security" company. He's just exposed failing to do his homework. Failing to do the homework, by the by, is one major reason for crypto-related breaches.
Passwords are distroying the world
It is just annoying the fact that we are still living in a password world. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. As was stated passwords are useless, outdated, and a security risk. That same organization understood that only real solution is the need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.