It is actually a lot easier than you think. We have teraflops of processing power available now in GPUs. It is much easier to do than it used to be. We already know the person who did the attack knew the salt and the hash for arn's password.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
It is actually a lot easier than you think. We have teraflops of processing power available now in GPUs. It is much easier to do than it used to be. We already know the person who did the attack knew the salt and the hash for arn's password.
Cool.
And from what I understand, using something like bcrypt instead of MD5 would make generating the rainbow take too long in the first place, mooting discussion about the size of the table?
A small correction to this. 1Password has a Windows Phone app. Also if you sync via dropbox, you can have read only access on Linux or on a computer you don't have the software installed on..
You might as well stay now that something like this has already happened. There's a very low chance it will happen again soon because security should be improved over the next few days.
I'm sure that's what people who we're using the sony network said lol
This is ridiculous. Is there no one that can come up with a better authentication methodology than user names and passwords? We have so many accounts and the demands put on us by IT and security people basically equates to "if you can access your own data, it's not secure enough", and "even if you can't remember your login credentials, someone else is likely to find them eventually".
I have a document with all my account info for my own reference, snd my friend has all hers in a spreadsheet. I won't put my passwords into a public service that is owned by any entity that's attractive to hacking. What happens when Lastpass, 1Password or iCloud keychain are cracked and violated? Personal server storage is less likely to be targeted than an account service or Apple, et all.
I have a document with all my account info for my own reference, snd my friend has all hers in a spreadsheet. I won't put my passwords into a public service that is owned by any entity that's attractive to hacking. What happens when Lastpass, 1Password or iCloud keychain are cracked and violated? Personal server storage is less likely to be targeted than an account service or Apple, et all.
Not sure I understand. The dude has access to 800000+ accounts, minus only those who've seen this thread or the email. All he'd have to do is re-prove his identify with a second unused account, and another piece of unreleased data.
As a former IT guy who went on to battle against his own IT overlords, I find this hilarious.
Last edited:
If they have a Windows Phone app, they don't mention it on their site.
Are you referring to 1PasswordAnywhere?
This article is a year old. oclhashcat-plus is significantly quicker now, as is the available hardware, and this was just a few boxes, nothing on what you can spin up on a cloud. 80k years for a 9 character MD5 password? No chance.
http://www.zdnet.com/25-gpus-devour-password-hashes-at-up-to-348-billion-per-second-7000008368/
21 posts in 5 years.. Had lol's account been hijacked it would have been disabled.
At least one would think.
Personally ? I think a moderator did it. But that's just my conspiracy mind drifting.
How secure is 1Password etc?
How secure are these password management programs? My hesitation with using them has always been that the incentive to hack these services must be enormous because of the payoff if you succeed even if they have a higher level of security and no security method is perfect. But I admit to having virtually no technical knowledge of the subject so I was curious if those who do could chime in?
How secure are these password management programs? My hesitation with using them has always been that the incentive to hack these services must be enormous because of the payoff if you succeed even if they have a higher level of security and no security method is perfect. But I admit to having virtually no technical knowledge of the subject so I was curious if those who do could chime in?
Hey man you really should be using the 2 step verification process on your Apple ID from now on
*NOTE* Using new password
I only use 1Password, so I will speak to that.
* Tamper-proof Authenticated Encryption
* AES-256 using Encrypt-then-MAC
* Openly published security design
* Decrypted data is never written to disk
* GPU resistant PBKDF2-HMAC-SHA512
Basically, your password database (file) is encrypted, so even if someone gets it, good luck. Your master password has to be tough though. It took me a while to get one that meets "excellent" standards. But once you get it, even if it's 20 characters in length, you'll learn it quickly. Now, I can blow past 20 in a couple seconds.
I've been using 1Password for years, and because they store nothing, it's all encrypted on my local Mac, unlike say LastPass. I prefer to do it myself with an app, rather than an online solution.
I log into dozens of sites a day, and 1Password is such a life saver.
----------
Have you used 1Password? You are not storing you data online with some service, unless you choose to use MobileMe syncing. But you do not need to sync via.... wait I just said MobileMe... lol leaving that in there. iCloud I mean. You can do a local sync.
If AES 256 gets cracked, we all better have some extra underwear at hand. I'm not too worried about that. Even if one could easily crack with some major exploit, they still have to get it off my FileVaulted/Firewalled Mac.
----------
Hey, let's start posting our old MR passwords!
My old MR password was: FX,p38*7CUz6_&LHRkY%
*NOTICE* ONLY post if it was a one-off password and you no longer use it ANYWHERE.
I use Keepass and it's great, doesn't have any downsides for me at least, the fact any and all data is strictly local in your own control is a humongous plus point I definitely don't like the sound of being able to log into view your passwords over the internet, along with the fact it is open source so there is that transparency so you are not trusting someone else's word that your data is safe.
Keepass seems to have an app for every OS out there iOS, Android and WP are covered but so are Symbian and PalmOS!
But 100% local and open source was definitely the reason Keepass is the one for me.
Also on a side note and goes for all password managers, they make your life soooo easy, stupidly long secure passwords unique for every site, easy, you just have to have to remember one secure password for the database and you're set.
I thoroughly recommend everyone to use a password manager, at least test one out for a few sites just to see what it's like and if it's for you.
using salt and peppers makes password brute force IMPOSSIBLE.
you salt your passwords and pass them through a pepper server whose only allowed IP is the web servers.
someone can dump your password tables but cannot crack ANY passwords without your pepper server, Furthermore you can roll your pepper keys every 15 minutes.
such as password hash = 4f6938531f0bc8991f62da7bbd6f7de3fad44562b8c6f4ebf146d5b4e46f7c17
then passes to pepper server to add another random 50 char's rolling every 15 mins.
the pepper server simply records times passwords are recorded and adds the rolled key for that time frame, ONLY the web server can request this action.
you simply store those peppered salts in the DB and they MUST be passed back through the pepper server to be useful.
this can be built in php in a matter of 20 minutes.
Last edited:
Presumably entirely coincidentally Yahoo forced me to change my password (on the email account linked to my account here) because of 'unusual activity'. This is the first time in around a decade of my using their service that they have done this. This was on the 6th though, so too early to be related, right?
