[Noisebridge-discuss] yahoo hacked - plain text passwords!!!!!

Will Sargent will.sargent at gmail.com
Mon Jul 16 19:12:37 UTC 2012


There is one thing that bcrypt does better than the alternatives; it's
future compatible.  You can turn up the factors on it, and new
passwords will be even more difficult to crack, but will still use
exactly the same algorithm under the hood, so it will keep up with
Moore's Law.

As far as I understand it, the alternatives mentioned do not do this,
which makes them more fiddly to maintain down the line.

If you're really bothered, do what Mozilla does: they use HMAC512 with
a global salt that's only kept on the filesystem, then feed that input
into bcrypt.  That way even if bcrypt is compromised, there's another
level of encryption to get through.

Will.

On Sun, Jul 15, 2012 at 10:31 PM, Ryan Rawson <ryanobjc at gmail.com> wrote:
> Don't use bcrypt!
>
> http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html
>
> -ryan
>
> On Thu, Jul 12, 2012 at 1:58 PM, Will Sargent <will.sargent at gmail.com> wrote:
>> I'm going to keep saying it, because I keep seeing people suggest
>> SHA256 with salt as a solution:
>>
>> Use bcrypt.
>>
>> http://webapp-hardening.heroku.com/insecure_crypto
>>
>> Will.
>>
>> On Thu, Jul 12, 2012 at 1:42 PM, Jake <jake at spaz.org> wrote:
>>> i was wondering why i kept getting so much yahoo spam, from people i used
>>> to know.
>>>
>>> http://news.cnet.com/8301-1009_3-57471178-83/yahoos-password-leak-what-you-need-to-know-faq/
>>>
>>> A hacker collective calling itself D33Ds Co. publicly posted more than
>>> 450,000 login credentials -- i.e., paired usernames and passwords --
>>> obtained from Yahoo's "Contributor Network" site. In that data dump, the
>>> hackers described their attack as a "union-based SQL injection," which is
>>> effectively a way of tricking the database on a poorly secured site into
>>> divulging private information.
>>>
>>> Which, in this case, yielded a treasure trove of usernames and passwords,
>>> apparently all stored in plain text -- itself a fairly significant
>>> security failure on Yahoo's part. Passwords are usually cryptographically
>>> masked in a process called "hashing" to prevent exactly this sort of mass
>>> disclosure.
>>> _______________________________________________
>>> Noisebridge-discuss mailing list
>>> Noisebridge-discuss at lists.noisebridge.net
>>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss



More information about the Noisebridge-discuss mailing list