i know it's *old* by interweb standards, but if any of you people use LinkedIn, you should change your password, and maybe change other passwords to accounts associated with your email address.

http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html

This notice was brought to you by your friendly neighborhood aaronburro

6/7/2012 4:36:39 PM

after trying to remember my password in order to log in to this silly site, i got in and i saw this, which i don't remember from before:

Quote :

"Your email is safe with us! We will not store your password or email anyone without your permission. "

casually near the "see who you already know" section, got a chuckle

and changed my password

6/7/2012 4:39:48 PM

Well it's technically true. They did not store the password... just a SHA hash.. that wasn't salted.

http://leakedin.org/

That site lets you put in your password or SHA-1 hash value to see if it was in the leak.

6/7/2012 6:09:31 PM

I for one always type my password into random sites.

6/7/2012 6:19:32 PM

iamgod

"Your password was leaked and cracked. Sorry, friend."

asdfjkl;

"Your password was leaked and cracked. Sorry, friend."

[Edited on June 7, 2012 at 7:37 PM. Reason : .]

6/7/2012 7:36:54 PM

skeet
Looks like your password was not leaked. Hooray!
penis
Looks like your password was not leaked. Hooray!

6/7/2012 7:45:27 PM

password1

"Your password was leaked and cracked. Sorry, friend."

6/7/2012 10:35:43 PM

Quote :

"cc8f461bc483d23e5fcc2d999b70fe65e381aa3a"

Quote :

" Looks like your password was not leaked. Hooray! "

6/7/2012 10:40:05 PM

fucknut

"Your password was leaked and cracked. Sorry, friend."

6/7/2012 11:54:27 PM

blowme was leaked

6/8/2012 12:12:05 AM

obvs. hash is better salted

om nom nom

on a more serious note, p=====B ~ `o->-< was also cracked from a separate leak (near bottom): http://xdecrypt.com/google-sha1-a45c-3

6/8/2012 1:25:24 AM

looks like last.fm got hacked too

http://www.pcworld.com/article/257178/music_site_lastfm_joins_the_passwordleak_parade.html

6/8/2012 8:22:04 AM

Good thing I deleted my LinkedIn account years ago. I got tired of all their stupid spam.

6/8/2012 9:08:01 AM

I'm seriously thinking about moving to bcrypt: http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
Too bad my host hasn't upgraded its FastCGI variant of PHP to version 5.3 or 5.4, or else I would feel more comfortable installing this: http://www.openwall.com/phpass/

Instead I moved a site I maintain from a singly randomly-salted MD5 to a Whirlpool-based HMAC: https://secure.wikimedia.org/wikipedia/en/wiki/HMAC

I know I've posted this pic before, and again, although the example uses SHA-1, any hash will do for the illustration of a HMAC: http://thewolfweb.com/message_topic.aspx?topic=617783&page=1#14958141

6/11/2012 6:24:00 AM

Quote :

"I'm seriously thinking about moving to bcrypt: "

I read Hacker News quite a bit and the funny thing is people will already call you an idiot for using bcrypt instead of scrypt (which has only been out 3 years). They obviously don't give a shit there are no publicized scrypt implementations for PHP.

I'm wondering if I should try writing one myself. It's stupid as hell writing your own crypto, but I bet other people would want it.

6/11/2012 8:36:48 AM

Maybe I should take the C code from the Debian FTP: http://ftp.de.debian.org/debian/pool/main/s/scrypt/

or the main site: http://www.tarsnap.com/scrypt.html

and make me a CGI program that can be called from PHP

6/11/2012 9:50:46 AM

I just tried to log in.

Quote :

"Sorry, we need you to reset your password as a security precaution. We've sent you an email that will allow you to reset your password quickly and easily. Please check your email now. "

6/11/2012 10:31:16 AM

wait wait wait

I just found out that the aforementioned site's host used the Suhosin Patch on PHP 5.2: http://www.hardened-php.net/suhosin/

now imago switch us all over to bcrypt

[Edited on June 11, 2012 at 10:54 AM. Reason : nm it has Suhosin but CRYPT_BLOWFISH==0

6/11/2012 10:33:02 AM

o lookie, scrypt is available for Python: http://pypi.python.org/pypi/scrypt/0.5.4
and Haskell: http://hackage.haskell.org/package/scrypt-0.3.2
and Windows Phone 7 and Silverlight 3-5: http://www.nuget.org/packages/DH.Scrypt.dll

6/11/2012 11:07:38 AM

I'll just take this opportunity to repost this classic and informative XKCD

6/11/2012 11:18:42 AM

Very true.

6/11/2012 11:37:09 AM

lewisje has a lot of acronyms and links

He must be very smart

6/11/2012 11:44:51 AM

Quote :

"wasn't salted"

it's stuff like this that continues to amaze me

6/11/2012 2:15:51 PM

^indeed, and you'd think that a site used by, among others, security professionals to network would have figured out the sort of thing that is built into Zen Cart and phpBB

^^most of those initialisms (okay, SHA is an acronym) are in common use...
PHP - PHP: Hypertext Parser, the most common server-side scripting language on the Web: http://php.net/
CGI - Common Gateway Interface, the means by which a Web server can send certain files (like .php files) off to server-side executables (like the php program) for processing, before sending the output to the user
FTP - File Transfer Protocol, a simple protocol for sending files between a local computer and a remote server
SHA - Secure Hash Algorithm, one of a series of cryptographic hash algorithms approved by NIST (the National Institute of Standards and Technology) for ensuring the integrity of data transmission; the original was quickly shown to be flawed, the next (SHA-1) took longer to show any weakness, and although the SHA-2 suite has no known efficiently-exploitable weaknesses, NIST isn't waiting around for one to show up and has already announced a competition, to be completed sometime this year, for an even more secure hash suite to be denoted "SHA-3"
XOR - In the picture although not in my previous posts ITT, "eXclusive OR" can be thought of as the bitwise addition modulo 2 (addition of binary numbers without carry), or the logical operator that returns "true" if and only if the two operands have different truth values; for the purpose of cryptography, it's the former.
HMAC - Hash-based Message Authentication Code, usually used in TLS (Transport-Layer Security, f.k.a. SSL or "Secure Sockets Layer") to provide confirmation of integrity via the hashing and authenticity via the use of that shared key, in a way that prevents an attacker from determining the key itself, but also usable as a more convoluted variant of a salted hash for storing passwords
MD5 - Message Digest 5, an algorithm developed by Ron Rivest, who also co-developed the RSA (Rivest-Shamir-Adleman) encryption algorithm; after it was discovered to be vulnerable, he developed MD6 and briefly submitted it to the first round of the aforementioned NIST competition, and he also developed the RC4 encryption cipher ("Rivest Cipher 4," used in WEP, "Wired Equivalent Privacy," and also found to be insecure) and co-developed its latest successor RC6, which is patented by his firm, RSA Security
also RSA was first thout up by a guy named Cocks (lol) but he had to keep it under wraps because he worked for a British intelligence agency

^^^The comic was about making a password that is tough to crack for those who don't have access to the hash, not about using a hashing method that is resistant to cracking; however, for hashes that are either unsalted or salted with a common salt, more-common passwords are more vulnerable to rainbow tables.

[Edited on June 11, 2012 at 2:58 PM. Reason : also GNU's Not Unix lol

6/11/2012 2:53:02 PM

Quote :

"PHP - P Hypertext Parser,"

Wrong, motherfucker.

It's not that I don't know what these mean. I use many of these technologies on a daily basis. It's just that you sound like an absolute turd trying shove way too much lingo into every sentence.

[Edited on June 11, 2012 at 2:57 PM. Reason : ]

6/11/2012 2:55:12 PM

I used those terms to describe my thoughts in a concise manner; it's much better than "that doohickey thurr" or vague language like "an even stronger hash," and it's not like I'm using intentionally flashy language like a typical "Web 2.0 SEO viral monetization ninja" to cover up the lack of substantive content.

6/11/2012 3:03:18 PM

Still a turd

[Edited on June 11, 2012 at 3:13 PM. Reason : Usually it's obvious that you barely have even a shallow understanding of the technology when you po]

[Edited on June 11, 2012 at 3:13 PM. Reason : st shit like "WinMerge4Lyfe"]

6/11/2012 3:12:13 PM

holy fuck

6/11/2012 3:28:26 PM

^^I was trying to be funny; the real reason I use that free merge program is that it is free.

[Edited on June 11, 2012 at 5:35 PM. Reason : Now if there were a free three-way comparison tool for Windows...

6/11/2012 5:35:01 PM