Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
About 20 years ago, I used the same password for every single site. Over time, the rules tightened and/or I was forced to change my password from time to time, so about 5 years after my 1st password, I had my 2nd one that I use on some sites and the first one on others. Today's I'm at about 6 or 7 different ones.
Unless it's inconsequential you should be using different passwords on every site. When I say inconsequential what I mean is you have used the same password for a bunch of forums.
What happens is this, a site like this one is going to try and protect your data but it's not a banking site with an army of engineers either. If it gets hacked they will try and brute force the passwords stored in the user database table. If they are able to obtain your password here they now have an associated username, email address and password. From there they move to your email account and try the password you have used here there. If that is successful they can dig through your emails for banking and other information like accounts you may have on Ebay etc.
As another example this site does not use https for logins. If you are at coffee shop for example using their wifi and it's not over an encrypted channel someone sitting there can intercept your username and password. The person who controls that router can intercept your username and password regardless of whether the channelis encrypted and anyone else between you and this server can intercept that username and password.....
With the millions (literally) of hacked user profiles available, and how long it takes to do what's described, what are the odds? Not enough hackers to go around.
Question for readers: How many of you have personal knowledge of someone affected, other than a notice to change your PW? I sure don't.
About 20 years ago, I used the same password for every single site. Over time, the rules tightened and/or I was forced to change my password from time to time, so about 5 years after my 1st password, I had my 2nd one that I use on some sites and the first one on others. Today's I'm at about 6 or 7 different ones.
EVERY site has it's own password, EVERY email has it's own password. Passwords are stored in a book which lives in a safe.
It may not be news to you but it may be news to someone who has been using the same passwords for the last two decades.
Quote:
With the millions (literally) of hacked user profiles available, and how long it takes to do what's described, what are the odds? Not enough hackers to go around.
Assuming the passwords are encrypted in the database the first thing they will do is run a dictionary attack against the passwords. That may net them 10%+/- but a lot of that depends on where the database was obtained from. From there it depends on the complexity of the encryption, the hackers resources(which may be plentiful if they have access to a lot of compromised machines) and other factors like who is in the database.
That's not the only vector, if the hacker has compromised the machine to the point they can alter files they could easily obtain any password when the user logs in and/or JavaScript to capture it on the client side. Every login can send that information directly to the person collecting it.
This is sample of how it can be done...Keep in mind this is all scripted, the hacker is not sitting in front of a computer doing this. He's at the bar waiting for his/her phone to alert them to a potential victim found by the scripts they wrote that may need personal attention. They only need to to compromise a handful of people out of millions to make it worth it.
Quote:
Question for readers: How many of you have personal knowledge of someone affected, other than a notice to change your PW? I sure don't.
How would they know? I've seen the "my email account has been hacked" enough.... Those providers have brute force measures in place thus one can only assume it was hacked by A)someone that knew them and took a good guess. B)they used the password 123456 or C)it was compromised elsewhere.
Developers that encrypt passwords should be taken out somewhere and shot. It's like security 101 stuff, and yet it's still done all over the place.
huh? Can I assume you meant do not encrypt?
For those that do not understand when you join a site like this the password is encrypted in the database where the password itself is the key to decrypt it. The level and security of that encryption may vary because of how complex the password is and processing time to decrypt. Generally speaking it's pretty robust for most modern applications and will certainly be extremely robust on financial sites etc. This is also the reason many sites holding financial data may require a complex password.
When you go to login the password you have entered is the the key to decrypt the stored password. If someone were to hack into the server and obtain that data they still have a job ahead of them to obtain the password because it's encrypted. This is why a site cannot tell you what your password is and if they can tell you what it is you need to question their security policies.
The weak link I already mentioned is if someone has compromised the server to the point they can alter files. They can be altered so as to send that password of anyone that logs in, anyone that does not login would still be protected by that encryption.
I'm aware of the differences but that's a discussion for people on a technical forum.... Most of the people here will be unfamiliar with the term hashing and how it differs from encryption.
When you go to login the password you have entered is the the key to decrypt the stored password. If someone were to hack into the server and obtain that data they still have a job ahead of them to obtain the password because it's encrypted. This is why a site cannot tell you what your password is and if they can tell you what it is you need to question their security policies.
What you are describing is actually hashing ... If the site encrypts and stores a password, they (and of course any hacker), can recover the password by decrypting it.
A hash is a bit different in that it's a one way computation, and can't be reversed. A site asks for a password, then adds a salt (a random bit of data) to it and runs it through a hashing algorithm. That's what's stored in the DB.
The next time you come back, they ask for the password, and then run the provided password, and the original salt, back through the hashing algorithm. Then they compare the new hash to the stored hash. If they match, then you know the password.
This way the site never actually stores your password, and can't give it back to you (or anyone else). As long as it's hashed with a salt, then it won't match the hashed version of the same password on another site (as long as the developer is smart and uses a random salt, and not your user name as the salt).
Some sites do / did store your password in an encrypted field in the DB, and those are the ones that end up getting lists of passwords spread around the internet.
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
