Russion hackers get 1.2 billion usernames/passwords

[darkewaffle]

FYI, an article explaining why this is probably just FUD, courtesy of Fark:

http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever

TL,DR:
- they bought bunches of old stale passwords from other hacking groups
- the user-password combo from a 2-year old hack that you read about 18 months ago is nothing to worry about unless you ignored the warning back then and use the same password everywhere

Yeah, OPs article basically made it out like it was not one mass hack but more just a... large scale compilation? I got the impression it was moreso a bunch of data put together from smaller, unique breaches over a few years.

All the same, I still really enjoy talking about the practice and protection, it's fascinating stuff imo.

 

[SunnyD]

FYI, an article explaining why this is probably just FUD, courtesy of Fark:

http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever

TL,DR:
- they bought bunches of old stale passwords from other hacking groups
- the user-password combo from a 2-year old hack that you read about 18 months ago is nothing to worry about unless you ignored the warning back then and use the same password everywhere

And that's the thing - the majority of those individuals tend to not do anything about those warnings due to various reasons. I mean after all, how numb have you gotten to things like phishing spam password reset emails these days? And how many people do you think have legit emails that either just go unread or straight to spam?

And to make your life a bit more scary, why this sort of information, old or new, is a big deal when put in the wrong hands: http://arstechnica.com/security/201...t-puts-a-personal-touch-on-password-cracking/

 

[darkewaffle]

Well, in a way, yes. But good crackers aren't stupid people, if they knew that they got hold of the hashed AT forum passwords they might consider also making a list of all the user names and adding them to their dictionary. Or since it's AT they might make a list of tech related terms to add to their list, or maybe run a text analysis on AT articles or forum posts and add the top 100 most frequently mentioned terms or most commonly matched words/phrases to their list.

Dubbed WordHound, the freely available tool scours press releases, white papers, and Twitter accounts belonging to companies or sites that have recently suffered security breaches. The software then generates a list of commonly found words or phrases that attackers can use when trying to convert cryptographic hashes from compromised password databases into the corresponding plaintext passcodes. The tool, devised by security consultant Matthew Marx, was unveiled Wednesday at Passwords 14 conference in Las Vegas.

Hahaha, told you so!

 

[Exterous]

http://arstechnica.com/security/201...t-puts-a-personal-touch-on-password-cracking/

I lol'd. Well done Randall.

A "combinator" attack, for example, combines two or more words in the list to generate guesses such as "correcthorsebatterystaple."

 

[ch33zw1z]

For the above password this site predicts:

"It would take a desktop PC about 25 thousand years to crack your password"

I used similar passwords to what mine really are, and they range from 78 days to 26 sextillion years.

seriously starting to think about something like lastpass

 

[T9D]

I used similar passwords to what mine really are, and they range from 78 days to 26 sextillion years.

seriously starting to think about something like lastpass

yomamaissofat

would take a million years? Yeah ok.

 

[ch33zw1z]

yomamaissofat

would take a million years? Yeah ok.

lol, it says on a "desktop computer", and that's non dictionary.

my passwords don't tend to be like that anyways