Facebook has scanned millions of email address and password pairs hackers dumped online from Adobe's user account database – so that it can force its social networkers to change their passwords if they used the same logins details for both websites. Late last month, Adobe warned of "sophisticated attacks" on its network in which …
Lastpass and Yubikey has been working for me. Only cost about £18. Every site has a different password and I sleep much better at night. The big question is if you trust your entire online life to LastPass.
Surely this means that Adobe and FB are both using the same encryption method, and no salt whatsoever?
Please tell me I'm just posting too early after waking up and this isn't really so...
Re: No salt?
More than that: plenty of gaffes by Adobe that made it easy to recover the plaintext. Then Facebook just had to run each plaintext through its own algos to check against its database.
Re: No salt?
I'm assuming facebook are just running the adobe passwords through their own hashing algorithm (Where the email matches one in facebook's database), and looking for matching hashes.
KeePass is free, open source and you decide where you want your database of passwords located
Yep, as is PasswordSafe. Windows, Linux, Android.
Everyone knows that you can't have a lowercase word as a password anymore, it must be mixed case and numbers. But that is easy, instead of having "password" as your password, you now have "Password1".
I do something very similar for sites where I do not care if someone manages to break in and find my password.
I just received a "change your password" message from Adobe yesterday.
"As we announced on October 3, 2013, we recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account."
So are they just getting around to sending password change notes now, or are people still walking in and grabbing data?
...employ memory tricks such as mnemonics...
Whenever I do that I forget what trick I used and embarrass myself. So I keep all my passwords in PasswordSafe.
this just about covers it
Re: password streangth
Forty to sixty bits of entropy is fine if you only need to enter the password once or twice a day. Make it forty or fifty times a day and your average user needs less entropy. Right now my typical passwords are in the 16 to 20 length range at work where we are forced to change them every 60 days.
It's one of the few things where I could see speech recognition actually being useful. People could easily remember and speak long phrases that are too long to type. Of course a nearby recording device negates the process. So you're sort of screwed no matter what.
Of course lockout are another important part of the security regime. Even if you assume 6 attempts then a 15 minute lockout, the time to crack becomes too long for the attack to be effective.
Re: password streangth
I agree. We have 5 minute lockouts on most things and I spend all day re-logging into systems. For me it's as much about finding a combination I can type fast as much as how secure it is.
Go All The Way
Facebook might as well go all the way and insist on changing your password every month. Just think of the amount of work that will get done when people can't remember their new password and can't log in to FB :)
Digital Liberty GONE.
What if I don't give a damn about securing my facebook account? Seriously? This is digital Nazi to the Nth degree. Let me choose any password (including none). Are we so used to being dominated on the net that we just take this? They have stolen my freedom to NOT secure an account.
- 'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
- Crawling from the Wreckage THE DEATH OF ECONOMICS: Aircraft design vs flat-lining financial models
- Pics Facebook's Oculus unveils 360-degree VR head tracking Crescent Bay prototype
- Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln
- Google+ GOING, GOING ... ? Newbie Gmailers no longer forced into mandatory ID slurp