all went missing.
Someone deleted them? surely they have a backup?
(copied data is not missing!)
Toshiba says that unidentified hackers have stolen customer records belonging to 7,500 of its customers. Credit cards details were not compromised, but emails, addresses, passwords and phone numbers all went missing. The company said the hackers gained access to a US server. The hack came to light on 11 July and customers …
I don't hold out a lot of hope, but that is a general observation and not Toshiba-specific.
How many sites send you a password reminder of your *real* password by email?
This shows that (a) they store it is un-hashed form somehow, and (b) they don't care that email is unencrypted and your email account may well be hacked.
Folks, think about all of the times you have received such a reminder!
Assuming like me you occasionally forget and use such a service, if not, why not give it a try with some companies they have important stuff...
Not many, not any more. Most of the sites I have a login on send you a link that allows you to reset your password within a certain time limit. You click the link and must set a new password.
As long as the miscreants don't change your email address, that seems fine to me.
My initial response won't actually make sense if you don't know what salting/seeding a password is so in summary:
salt = "f32ad35aef";
password = "secret";
md5(salt + password);
where salt is a random number (or any other random string) stored in the database with the password hash. The salt value should be different for each password you store.
This way even if a user uses a commonly used password it'll have a different hash.
that you meant that horrible comedian who thinks he's funny by making "edgy" racist jokes and then exclaiming "It's okay because I'm *ONLY KIDDING*."
I'm not one to wish pain on others, but I wouldn't be upset in the slightest if his fans all had to go about resetting their passwords.
Use an 8 character salt with upper and lowercase letters with digits and special characters.
Use obvious password restrictions, I would suggest a minimum of 12 characters these days but most still seem happy with 8.
SHA256 (Password + Salt)
Then SHA256 hash the result 1,000 times just to increase the computational complexity, and you have yourself a reasonably secure hash.
A password hashing algorithm has to be just fast enough not to negatively impact the login time. A fast hashing algorithm is actually a vulnerability. That's where something like bcrypt comes into play.
Here's a good article on the topic:
http://codahale.com/how-to-safely-store-a-password/