1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News RockYou passwords stolen

Discussion in 'Article Discussion' started by CardJoe, 16 Dec 2009.

  1. CardJoe

    CardJoe Freelance Journalist

    Joined:
    3 Apr 2007
    Posts:
    11,343
    Likes Received:
    292
  2. mi1ez

    mi1ez Active Member

    Joined:
    11 Jun 2009
    Posts:
    1,445
    Likes Received:
    18
    These people sound like idiots, but I wonder how many other companies have databases that are similarly unsecure...

    I'll bet it's more than we'd even like to think about!
     
  3. yuusou

    yuusou Well-Known Member

    Joined:
    5 Nov 2006
    Posts:
    2,133
    Likes Received:
    332
    +1
     
  4. NickCPC

    NickCPC Member

    Joined:
    8 Apr 2009
    Posts:
    207
    Likes Received:
    14
    Most of their "gadgets" are rubbish anyway, I'm glad I don't use their "services".
     
  5. NuTech

    NuTech New Member

    Joined:
    18 Mar 2002
    Posts:
    2,222
    Likes Received:
    96
    Why on earth would they store passwords in their database? That's as irresponsible as it gets.

    This quote on their homepage made me laugh too -
    No, obviously we don't 'know'...
     
  6. BradShort

    BradShort Familyman - Fraggin when allowed :P

    Joined:
    23 Apr 2009
    Posts:
    436
    Likes Received:
    10
    no need to keep passwords, n00bs. If your data is that insecure i believe you should be able to sue.....
     
  7. sear

    sear Guest

    This is why you keep your personal information off the Internet as much as you can. Nothing is safe or secure anymore.
     
  8. TomH

    TomH And like that... he was gone.

    Joined:
    28 Nov 2002
    Posts:
    756
    Likes Received:
    6
    +2^9000
     
  9. Mr T

    Mr T 4 Left Into Long 3 Right

    Joined:
    14 Nov 2001
    Posts:
    1,742
    Likes Received:
    0
    What kind of n00b stores passwords in plaintext >_<
     
  10. mclean007

    mclean007 Officious Bystander

    Joined:
    22 May 2003
    Posts:
    2,035
    Likes Received:
    15
    And that concludes lesson 101 in why you shouldn't rely on SSL alone to secure user data - just because the user session is secure from snooping doesn't mean someone can't extract the data from your database. At an absolute minimum, passwords should be irreversibly hashed before being entered into a database. Preferably use a salt with hmac (http://uk3.php.net/manual/en/function.hash-hmac.php) to prevent simple collision searches on hashed data. Hashing does increase database size (a typical password might be 8 chars, a typical hash is 128 or 160 bit, i.e. 32/40 hex chars or 27/22 base 64 chars) but that is a small price to pay, and the difference is unlikely to have substantial diskspace / performance implications unless we're talking about a database the size of Facebook's.

    Also, encrypting everything isn't a bad idea (though usability / performance implications may make it impractical). Lastly, what clown left the backdoor open? It isn't hard to unescape every user passed parameter to guard against mySQL injection. http://uk3.php.net/manual/en/function.mysql-real-escape-string.php
     
  11. mclean007

    mclean007 Officious Bystander

    Joined:
    22 May 2003
    Posts:
    2,035
    Likes Received:
    15
    double post
     
    Last edited: 16 Dec 2009
  12. bigsharn

    bigsharn Officially demotivated

    Joined:
    9 May 2008
    Posts:
    2,603
    Likes Received:
    83
    I think I've got a Bebo with RockYou Horoscope on it from about 4 years ago with the name Bigsharn Macwartbutt and the address of the whitehouse... so I'm not worried :p
     
  13. 1ad7

    1ad7 New Member

    Joined:
    13 Feb 2008
    Posts:
    263
    Likes Received:
    1
    Awesome... wow... that's retarded.
     
  14. airchie

    airchie New Member

    Joined:
    22 Mar 2005
    Posts:
    2,136
    Likes Received:
    2
    That is some special skills right there...
     
  15. sub routine

    sub routine Archie Gemel

    Joined:
    27 Sep 2007
    Posts:
    282
    Likes Received:
    2
    pfft no encryption,

    10 days to inform everyone.

    What a bunch of c*Nts
     
Tags: Add Tags

Share This Page