Facebook has scanned millions of email address and password pairs hackers dumped online from Adobe's user account database – so that it can force its social networkers to change their passwords if they used the same logins details for both websites. Late last month, Adobe warned of "sophisticated attacks" on its network in …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 12th November 2013 22:51 GMT pompurin

Lastpass and Yubikey has been working for me. Only cost about £18. Every site has a different password and I sleep much better at night. The big question is if you trust your entire online life to LastPass.

2 0
Tuesday 12th November 2013 23:47 GMT Anonymous Coward

No salt?

Surely this means that Adobe and FB are both using the same encryption method, and no salt whatsoever?

Please tell me I'm just posting too early after waking up and this isn't really so...

3 0
1. Tuesday 12th November 2013 23:48 GMT diodesign
  
  Re: No salt?
  
  More than that: plenty of gaffes by Adobe that made it easy to recover the plaintext. Then Facebook just had to run each plaintext through its own algos to check against its database.
  
  C.
  
  3 0
2. Wednesday 13th November 2013 09:49 GMT Doozerboy
  
  Re: No salt?
  
  Not necessarily.
  
  I'm assuming facebook are just running the adobe passwords through their own hashing algorithm (Where the email matches one in facebook's database), and looking for matching hashes.
  
  0 0
Tuesday 12th November 2013 23:48 GMT clriis

KeePass

KeePass is free, open source and you decide where you want your database of passwords located

3 0
1. This post has been deleted by its author
Tuesday 12th November 2013 23:53 GMT jonathanb

Password strength

Everyone knows that you can't have a lowercase word as a password anymore, it must be mixed case and numbers. But that is easy, instead of having "password" as your password, you now have "Password1".

I do something very similar for sites where I do not care if someone manages to break in and find my password.

0 0
Wednesday 13th November 2013 01:58 GMT Tom 35

Adobe

I just received a "change your password" message from Adobe yesterday.

"As we announced on October 3, 2013, we recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account."

So are they just getting around to sending password change notes now, or are people still walking in and grabbing data?

0 0
Wednesday 13th November 2013 02:44 GMT Sureo

...employ memory tricks such as mnemonics...

Whenever I do that I forget what trick I used and embarrass myself. So I keep all my passwords in PasswordSafe.

0 0
Wednesday 13th November 2013 11:44 GMT nobatron

password streangth

this just about covers it

http://xkcd.com/936/

1 0
1. Wednesday 13th November 2013 14:43 GMT Tom 13
  
  Re: password streangth
  
  Not quite.
  
  Forty to sixty bits of entropy is fine if you only need to enter the password once or twice a day. Make it forty or fifty times a day and your average user needs less entropy. Right now my typical passwords are in the 16 to 20 length range at work where we are forced to change them every 60 days.
  
  It's one of the few things where I could see speech recognition actually being useful. People could easily remember and speak long phrases that are too long to type. Of course a nearby recording device negates the process. So you're sort of screwed no matter what.
  
  Of course lockout are another important part of the security regime. Even if you assume 6 attempts then a 15 minute lockout, the time to crack becomes too long for the attack to be effective.
  
  1 0
  1. Wednesday 13th November 2013 19:27 GMT Sheep!
    
    Re: password streangth
    
    I agree. We have 5 minute lockouts on most things and I spend all day re-logging into systems. For me it's as much about finding a combination I can type fast as much as how secure it is.
    
    0 0
Wednesday 13th November 2013 16:56 GMT Peter Clarke 1

Go All The Way

Facebook might as well go all the way and insist on changing your password every month. Just think of the amount of work that will get done when people can't remember their new password and can't log in to FB :)

2 0
Thursday 14th November 2013 15:40 GMT jdieter

Digital Liberty GONE.

What if I don't give a damn about securing my facebook account? Seriously? This is digital Nazi to the Nth degree. Let me choose any password (including none). Are we so used to being dominated on the net that we just take this? They have stolen my freedom to NOT secure an account.

0 0