[Noisebridge-discuss] yahoo hacked - plain text passwords!!!!!
Ryan Rawson
ryanobjc at gmail.com
Mon Jul 16 05:31:18 UTC 2012
Don't use bcrypt!
http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html
-ryan
On Thu, Jul 12, 2012 at 1:58 PM, Will Sargent <will.sargent at gmail.com> wrote:
> I'm going to keep saying it, because I keep seeing people suggest
> SHA256 with salt as a solution:
>
> Use bcrypt.
>
> http://webapp-hardening.heroku.com/insecure_crypto
>
> Will.
>
> On Thu, Jul 12, 2012 at 1:42 PM, Jake <jake at spaz.org> wrote:
>> i was wondering why i kept getting so much yahoo spam, from people i used
>> to know.
>>
>> http://news.cnet.com/8301-1009_3-57471178-83/yahoos-password-leak-what-you-need-to-know-faq/
>>
>> A hacker collective calling itself D33Ds Co. publicly posted more than
>> 450,000 login credentials -- i.e., paired usernames and passwords --
>> obtained from Yahoo's "Contributor Network" site. In that data dump, the
>> hackers described their attack as a "union-based SQL injection," which is
>> effectively a way of tricking the database on a poorly secured site into
>> divulging private information.
>>
>> Which, in this case, yielded a treasure trove of usernames and passwords,
>> apparently all stored in plain text -- itself a fairly significant
>> security failure on Yahoo's part. Passwords are usually cryptographically
>> masked in a process called "hashing" to prevent exactly this sort of mass
>> disclosure.
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
More information about the Noisebridge-discuss
mailing list