Oh Look, Last.fm Lost Passwords Too!

[exfileme]

It's the third site in the last 24 hours that's seen a hacker stealing its passwords. Is this the beginning of an Internet hackfest?

Oh Look, Last.fm Lost Passwords Too! : Read more

 

[DarkenMoon97]

This makes me wonder, how many more sites? Will Facebook, Netflix, Pandora, Twitter, or Youtube be next?

 

[clusterstorms]

This is going to me more headache for the companies !

 

[agnickolov]

The real problem is that the passwords are stored in the first place. If the site only stores hashes that problem will never occur. You can't login using a hash...

 

[punahou1]

This is just sloppy, reckless security. Looks like some programmers need to retake computers 101....

 

[jryan388]

Please excuse my ignorance, but I thought they were only stored as the product of some hashing algorithm, meaning they can't be plugged into the password field...
And I really, really doubt fb yt or tw would fall prey to this. They are in a totally different league than these guys.

 

[Khimera2000]

this is getting out of hand. If these companies are not able to secure there networks, they need to stop asking for personal information, or the government needs to put a penalty in place for when they do get breached (feeding those penalties into a research effort for better security).

 

[Khimera2000]

We need to make these companies suffer a lot more for these kinds of breaches, I say levy a penalty for every password compromise, double that penalty for every year that it is not reported, and put all that cash into research dedicated to network security. On top of that let that money flow into the companies with effective security track records.

If these companies are comfortable with the courts, then the only way to make them change is to have the fear that the next time can wipe out even Apples profit for the year, make it so that if they "forget" to report this information they get heavy penalties.

In short if these companies keep loosing information that can be detrimental to our privacy, and the security of our Identity the penalties have to be strong enough to be detrimental to there stability and there sustainability.

let them fall, so others can build something better.

 

[Rab1d-BDGR]

[citation][nom]agnickolov[/nom]The real problem is that the passwords are stored in the first place. If the site only stores hashes that problem will never occur. You can't login using a hash...[/citation]

This, assuming your website is not built by complete idiots...

I wouldn't want my Facebook account to get out though, that would be really annoying. Tom's, I hope you're keeping our details safe too! =)

 

[vittau]

[citation][nom]agnickolov[/nom]The real problem is that the passwords are stored in the first place. If the site only stores hashes that problem will never occur. You can't login using a hash...[/citation]Yes, it's a basic procedure, and I have no idea why so many companies do it wrong...

 

[ibboard]

[citation][nom]agnickolov[/nom]The real problem is that the passwords are stored in the first place. If the site only stores hashes that problem will never occur. You can't login using a hash...[/citation]

No, but you can brute-force a hash (or have a "rainbow table" of the common ones, which people will use surprisingly commonly). If your hash isn't salted with something specific to the site, but stored separately from the password, then the attacker can get a lot of passwords very quickly by comparing hashes.

That said, I do know some sites that can send you your original password in plain text when you forget it (including sites that should know better - like the British Computing Society!). Most of these stories have been leaks of hashes, though.

 

[yumri]

[citation][nom]jryan388[/nom]Please excuse my ignorance, but I thought they were only stored as the product of some hashing algorithm, meaning they can't be plugged into the password field...And I really, really doubt fb yt or tw would fall prey to this. They are in a totally different league than these guys.[/citation]
yes but still with that hash how will it be verified as the genuine password? Because as you said you cannot plug in the hash into the password field to log in well that goes the same for both sides how can you check it if you do not know the password to check against ?
What i would want to see is better encryption for website passwords and such in the hopes that different and/or multiple layers of encryption using different styles of encryption will prevent this from happening as much anymore

 

[eddieroolz]

Ugh...now I have to change LastFM and a host of other services' passwords. Great.

 

[frank_drebin]

lol

 

[freggo]

[citation][nom]Khimera2000[/nom]this is getting out of hand. If these companies are not able to secure there networks, they need to stop asking for personal information, or the government needs to put a penalty in place for when they do get breached (feeding those penalties into a research effort for better security).[/citation]

What's next, penalize the bank after it gets robbed and let the robbers go free ?
Let's face it, we need to stop glorifying hackers and put them away for a fair amount of time, just like the common criminals they are.
And I am not talking 12 month at a golf resort either !

 

[vittau]

[citation][nom]yumri[/nom]yes but still with that hash how will it be verified as the genuine password? Because as you said you cannot plug in the hash into the password field to log in well that goes the same for both sides how can you check it if you do not know the password to check against ?[/citation]
Read about how hashing works and you will understand.