News League of Legends breach leaks passwords, credit cards

It does beg the question if the payment system hasn't been used since 2011 why did they keep the hashed CC details in the database?

Code:

UPDATE customers_table
SET cc_hash = '<safe>'
WHERE date < '1/1/2012' AND security = 'Security? What security!'

 

At this point hackers dictionaries are so large and complex that even passwords many believe to be secure get hacked in minutes.

We need a replacement for passwords and we need it yesterday.

 

or just have a very strong password.

 

Like qeadzcwrsfxv1331? That's a strong password right?
Oh, turns out it isn't http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Now we have to use password managers to remember all these individual crazy passwords but that's a single point of failure. That really worries me.

 

I thought it's illegal for any merchant to keep transaction details for more than a short period of time?

The record of the transaction itself is kept, but I thought you can't keep any sort of card/personal details on file for too long?

 

Great link. Very enlightening. Scary, but informative.

Requiring users to change their password on a frequent basis would also help to mitigate some of the risk. As is, most sites only require a change once a data breach has happened. By then it could be too late, especially considering how long some companies drag their feet before publicizing the breach and notifying its customers.

 

Changing your passwords frequently, in my experience, leads to lower security as you now not only have to remember dozens (at least) passwords but also come up with new ones and then remember them.

Bearing in mind each should be at least 12 characters in length, use numbers and a combination of uppercase/lowercase letters spaced out and not just at the beginning or end of a word and not use names, films or anything else that is now in a hackers dictionary.

Passwords suck is what I'm saying.