On 7/24/2013 12:05 AM, Ben Eisenbraun wrote:
On Tue, Jul 23, 2013 at 11:16:06PM -0400, Bill Horne wrote:
Since my password isn't in a dictionary, and doesn't contain any common
substitutions that would allow for guessing, I'm not concerned about the
breach.
Dictionary attacks are kind of... passe. It's all password lists culled
from the numerous other cracked sites and targeted brute force GPU
cracking these days:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
But your basic strategy works okay provided you never reuse a password,
since you can't really ever know what the security on the other side of
a web page you didn't write looks like. Ubuntu salted and hashed their
passwords, but plenty of sites just store them in plaintext or use fast
hashing schemes like MD5 which are quick to brute force with a GPU
cracking tool.
Point taken.
My old password was just for "I don't care" sites, such as yahoo groups,
where it wouldn't matter much if it /were/ hacked, since all anyone
could do would be to post a message pretending to be me, to people who
don't know me anyway.
However, the more I thought about it, and the places I'd used it, the
more I hastened to get the passwords changed. We've all heard about the
"Help! I got mugged on vacation!" scams, and although I'm ever-so-eager
to find out which of my email contacts would rush to Western Union and
wire thousands of dollars to <random foreign city>, I don't /have/ any
email contacts on any of the sites I've used that password for - but I
realized that they might have been auto-collecting address I sent things to.
The arms race continues.
Bill
--
Bill Horne
339-364-8487
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
