[Noisebridge-discuss] yahoo hacked - plain text passwords!!!!!
Will Sargent
will.sargent at gmail.com
Thu Jul 12 20:58:38 UTC 2012
I'm going to keep saying it, because I keep seeing people suggest
SHA256 with salt as a solution:
Use bcrypt.
http://webapp-hardening.heroku.com/insecure_crypto
Will.
On Thu, Jul 12, 2012 at 1:42 PM, Jake <jake at spaz.org> wrote:
> i was wondering why i kept getting so much yahoo spam, from people i used
> to know.
>
> http://news.cnet.com/8301-1009_3-57471178-83/yahoos-password-leak-what-you-need-to-know-faq/
>
> A hacker collective calling itself D33Ds Co. publicly posted more than
> 450,000 login credentials -- i.e., paired usernames and passwords --
> obtained from Yahoo's "Contributor Network" site. In that data dump, the
> hackers described their attack as a "union-based SQL injection," which is
> effectively a way of tricking the database on a poorly secured site into
> divulging private information.
>
> Which, in this case, yielded a treasure trove of usernames and passwords,
> apparently all stored in plain text -- itself a fairly significant
> security failure on Yahoo's part. Passwords are usually cryptographically
> masked in a process called "hashing" to prevent exactly this sort of mass
> disclosure.
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
More information about the Noisebridge-discuss
mailing list