It is lacking in nuance, information, and clarity. (Surely a significantly strong password wouldn't be immediately cracked when hashed & salted, right? I don’t know for sure, and that comment isn't helping.)
If you read the article, it says the passwords are hashed and salted. So I think the comment is appropriate... I don't think this is the same thing as passwords being sold at all.
This was sarcasm right? In all seriousness though, I think titles like "passwords stolen" are a little misleading. Article titles should either be "hashed passwords stolen" or "plaintext passwords stolen" IMO.
No, he's absolutely right. Single-iteration SHA-1 is extremely inappropriate for password hashing, and all salting does is prevent rainbow table attacks and instant reversal of duplicate hashes. It does not slow down non-precomputed attacks one bit.
It's much better than plaintext, but essentially only a little bit better than unsalted MD5.
I'm really surprised Tumblr would use such an awful password storage scheme as late as 2013. I thought they invested a lot into security?
From the perspective of trying to crack a single user's account the salt does not slow down non-precomputed attacks at all. From the perspective of trying to crack the entire database, or a significant portion of it, it multiples the work required by N (where N is the desired number of cracks to perform).
I consider precomputed attacks a special case of these attacks, sort of. In the security world, most password-predicting attacks are linear with respect to the amount of accounts you're trying to get passwords for.
It's true that it will take a lot of hardware to efficiently attack all 65 million passwords. But in my field, big dumps like these are a godsend when doing a pentest.
Looking to compromise a sysadmin's account? Search his/her emails and aliases in as many DB dumps as you can find, then expend a lot of resources cracking that one hash. If it's just a SHA-1 hash and the password isn't very strong, you won't have much trouble.
Also a risk for people with vendettas against specific tumblr users (which, to my understanding, is a big issue on tumblr).
Brute force as an attack vector is dealt with by requiring "strong" passwords, not by using scrypt, so the thought of using a hash that protects all passwords equally with respect to the time it takes to try one, as an extra layer of defense for those weakest of the "strong" passwords, doesn't usually come up unless you're actually looking into how to design a login system instead of just copying from somewhere/some book as fast as you can and moving on. This issue with Tumblr that late doesn't surprise me at all.
At least one major benefit of SHA over MD5 is that you won't trivially find collisions and thus compromise the accounts of even those users with strong passwords...
salted with what? unique salts per password? hashed with what? in many cases you're 5 minutes away from plaintext passwords, so the distinction is meaningless.
I've changed my Tumblr password after this just in case, but it was some approximately hundred character random password generated by Lastpass before that.
So let's say half the ASCII range, which gives us this number of possible passwords:
the heat death of the universe, or until an attacker realized Lastpass has been breached multiple times, and they already have every password you've ever used with it.
It's amazing. Just about every single one of my email addresses have been compromised in one way or another, how could it be there are so many websites with such bad security.
Knowing who leaked your email or sold it to spammers
Being able to stop spam by deleting the email
You could even consider binding the email to a domain so the address would only accept emails from the domain you gave this email address.
You don't really want different mailboxes, you want one mailbox with different aliases. An alias becomes a "communication token" which can be revoked, very much like when paypal gives a payment authorisation token to an ecommerce website. If that token gets leaked, no big deal, no one else can use it. A single email address is more like a credit card number.
Because security is actually really hard, contrary to popular opinion.
As an industry, I think we need to rethink the way we develop, package, and deploy web apps. The fact that we rely on individual developers and sysadmins to get security right, perfectly, every time is crazy. In an ideal world the prod environment should protect me from shooting myself in the foot, and the OS should be running a hardened-by-default, single-purpose system image that doesn't require bespoke knowledge to make secure.
While far from perfect, I think the PaaS vendors (AppEngine and Heroku) got a lot of things right in this regard.
[Disclaimer: I work for Google, but not on Google Cloud.]
> Because security is actually really hard, contrary to popular opinion.
But some of the password hashing algos used, no salting, making all password characters lower-case in the background, etc. are not hard things to avoid. So when a site is hacked and the user information stolen and we find that stuff out, it's safer to assume other security practices where also subpar.
For big sites, I have a hard time blaming it on a bad developer. Early in my career, I worked for a company that stored it's passwords in plain-text. I suggested on many occasions stop doing this and was always told no because the site had an older audience and they wanted to make it easy to send password reminders, which also meant they were emailing passwords in plain-text. This came from the tech director and CEO and none of the other devs seemed to care.
A few years after I left, their DB was compromised, so someone got a list of email addresses with clear text passwords.
Just got an email today from the same site that I am in the leaked myspace dataset. Is this a new dataset or else why are they notifying me only today?
According to this site, the Myspace data set contains a profile with an email I wasn't issued until 2012. So my university reissues emails. So I could probably throw it into a bunch of "recover password" forms. That kinda sucks.
So when my email gets reissued i'll have to track down every single website it's linked to and purge any personal information etc. Fantastic.
You should push for them to change that practice. If your e-mail address isn't permanent, you probably shouldn't register it with other sites, or else track every site that uses it for authentication (account recovery) so you can update to your new e-mail address when you move on.
Out of curiosity, what do the usernames (aka local part) of the e-mail addresses look like? Are they based on names/initials? Are they arbitrary?
most universities where I live use either stu120691 [at] mail.uni-kiel.de, or stu120691 [at] informatik.uni-kiel.de, or allow you to choose a custom prefix for prefix [at] stu.uni-kiel.de and prefix [at] informatik.uni-kiel.de
(those addresses are mine, first the generic ID, then the generic ID [at] faculty, then prefix [at] generic (I don’t have one), then prefix [at] faculty; first comes first serve on prefixes)
This has reminded me to sign up all my emails for alerts, and makes me glad I started using Lastpass back in 2012 and almost all my logins these days are separate and very long passwords.
There is no such thing as unbreakable security. You always have to compromise security for usability somewhere. I trust LastPass' procedures more than I do most websites'.
you don't trust yourself or your ability to maintain a single list of key->values better than a 3rd party?
lastpass has been hacked multiple times revealing ALL your passwords. the compromise is obviously to not use it and when ONE of the services you used is hacked you lose ONE account rather than them all.
While I agree with you, Lastpass has been hacked in the past, and if you store all your passwords in one place it's really open-kimono time when there's a breach.
I've taken to doing the thing they tell you never to do: I write my passwords down on a piece of paper. Criminals can get access to my passwords, but they're going to have to travel to my house to do it.
That site is amazing and it is shocking how many of my emails have been compromised by random games I've played.
For example, D&D Online and Heroes of Newerth both were compromised.
Here's my question...what recourse is there beyond resetting passwords? If a company did something as dumb as store my PW in plaintext, do I have any realistic legal recourse for what seems pretty negligent? I'd assume I'd have to prove damages of some sort, and I am not a fan of an overly litigious society, but it seems there is no real recourse for impacted users.
If you don't know what HaveIBeenPwnd is, you type in your email to check if it is involved in any data breaches online. They don't give you the actual data back.
Problem with 2FA is: what happens when you're traveling internationally and don't have access to your phone number, and need to look up your bank balance or something where you've employed 2FA?
You still need your phone for that. If you're out of battery charge, you're temporarily locked out. If you loose your phone, you're locked out until you recover the number. If you can't recover the number for some reason, then what?
People downplay the probability and importance of these issues, but the situations where you loose your phone are often the situations where you need access to your online accounts. One such situation can do far more damage than all the hacks combined. (For example, someone steals your backpack with your phone and wallet. Horror scenario: someone steals your backpack with your phone and wallet in a foreign country.)
In short, loss of access must be considered as a tradeoff.
Loosing anonymity due to phone-based 2FA is another issue that never seems to be considered in these discussions.
Finally, phone-based 2FA discourages you from splitting your accounts. (It's a bit of a hassle even with one email. Imagine managing 5 or 6.)
That's when you use the one-time passwords you generated and printed out in case of just such an emergency. Most (important) services I've enabled 2FA on make this an explicit step.
2FA isn't limited to a single device. With 1Password, a TOTP code is available on my laptop, on my phone, on my watch, via an encrypted backup, etc. If you have access to a computer, you can access your second factor. That's not even counting paper backups as others have mentioned.
Not sure how anonymity factors in here. How can typing a number into your phone to set up TOTP then typing the resulting numbers back into your already-authenticated account deanonymize you?
Finally, yes, adding more security is a hassle. But if you're willing to add 5 seconds to your login on one account, I don't see why you'd be super against doing that for multiple accounts.
Just looking at the haveibeenpwned.com it links to the cryptically poor Adobe password were. I am fascinated by how popular certain passwords are:
http://stricture-group.com/files/adobe-top100.txt
It appears some random words aren't necessarily random. Words like 'shadow' and '1q2w3e4r'.
Don't forget adding ! or 101 and so on to the end of a password and capitalizing the first letter. "Password1!" is likely to pass complexity and length requirements quite well.
The top ten passwords in the in the adobe hack account for 2.8% of all passwords. About 1/35 used one of ten passwords. That's frightening to think about. Thanks for the share.
My opinion is that people who commit those acts need to be killed as an example to others.
Some will argue that they perform a public service of some sort, but the fact is, they're bullies, plain and simple. They are past any public service point and now are off into lulzland, where they're selling this information because they will profit from it. I cannot envision that there is any sense of remorse in these people, either.
I am fairly certain they will get away with this - odds are against them ever being caught in a country with a decent enough justice system to apply a lasting verdict. Even finding enough proof to convict is a very long shot.
The part of me that despises bullies, though, wants to line them up in front of their colleagues and say "Do what you want, but remember, there are consequences. This is consequences." and turn them into a thin, red smear.
I try to avoid posting while angry these days, because it's really pretty useless. Sometimes, though, can't help it.
You lack context. Most hackers doing this live in Russia/China/Ukraine they are mostly untouchable but in the same time they have limited possibilities to escape from hell they live.
It is easy to be on high moral ground when you can just get a normal job in economy with <6% unemployment and rich family to back you up, funding your overpriced college.
NSA spy people and have probably more private information than your Ashley Madison "secret" email. There more dark web than you can imagine and hacking Tumblr is just silly.
> Most hackers doing this live in Russia/China/Ukraine they are mostly untouchable but in the same time they have limited possibilities to escape from hell they live.
And that justifies their acts?
You're right. It's easy to be all moral and ethical when you don't face those kinds of challenges. I'll even grant you that I have failed a few moral and ethical challenges while living in my safe little world.
I own that.
And I have zero sympathy for those bastards. They made a choice to steal and then a further choice to release that information for others to do more harm and to try and make money while doing it.
You know the saddest part?
I look at all the threads related to this story and I'm the only one who's even outraged by this. Most people are pretty blasé about it (kind of understandable) and many of you are defending their actions.
Are we that disconnected that we no longer recognize right and wrong? Have we reached a point where we can say "Fuck the 1st worlder. He can buy more privilege."?
Because life is not black and white. Everything is is just shade of grey.
Russian Hacker have a choice:
- hack for Russian Government, potentially leading to people being killed.
- hack for blackmail where hacked western company will need to pay fee data/ddos.
- work as bounty hunter making pennies for sometimes weeks of work.
Someone from US with the same skill is working as:
- penetration tester,
- security consultant,
- do bounty hunting as hobby
Majority of hacks you will never hear, It is only happening when:
a) Company decide not to pay blackmailers and screw the users,(Tumblr?)
b) Competing company pay for hack to destroy competitor(Ashley Madison?),
c) Is done by foreign country as mean of attack (Estonia/Github)
Single people being blackmailed is usually done by friends family. Let say that you "best" friend knew about "your" Ashley Madison account, he would use this as opportunity to blackmail.
Were Russian vegetate in the middle of Siberia, US gentleman is having fancy dinners in SF. If you want to have moral outrage do it for US companies Yahoo, Google for sharing data with Chinese Gov.
>Most hackers doing this live in Russia/China/Ukraine they are mostly untouchable but in the same time they have limited possibilities to escape from hell they live.
In my experience this simply isn't true. The part about nationalities, yes somewhat. But these guys certainly mostly aren't living in particularly bad situations, they're just guys that figured out that the risk/reward ratio is heavily in their favor.
>It is easy to be on high moral ground when you can just get a normal job in economy with <6% unemployment and rich family to back you up, funding your overpriced college.
You can hardly compare a "normal job", even if it pays 200k a year to a part time job where you can make anything between 500k to millions of dollars a year.
"Anyone who disagrees with my assertion should fuck themselves with a rusty bat"
The only site that does it more excessivly is 4chan but there is no vitriol in their statements they're just trying to shock. Tumblrites are saying it loud and unabashed in an effort to create comedy, but there is truth in their "jokes" and it seeps through.
Being "allowed to live" after exposing bad security is something you only hear in really exceptionally bad countries, or tumblr.
I wish i could find my hash because I used tumblr back then but have deleted my account since then. I just want to know if it is a password i'm still using or not.
well I have a lot of accounts I don't care much about, but it's still nice to know. the ones I do care about: Amazon, banking, Facebook etc do you have unique passwords.
91 comments
[ 3.1 ms ] story [ 151 ms ] threadIt's much better than plaintext, but essentially only a little bit better than unsalted MD5.
I'm really surprised Tumblr would use such an awful password storage scheme as late as 2013. I thought they invested a lot into security?
I consider precomputed attacks a special case of these attacks, sort of. In the security world, most password-predicting attacks are linear with respect to the amount of accounts you're trying to get passwords for.
It's true that it will take a lot of hardware to efficiently attack all 65 million passwords. But in my field, big dumps like these are a godsend when doing a pentest.
Looking to compromise a sysadmin's account? Search his/her emails and aliases in as many DB dumps as you can find, then expend a lot of resources cracking that one hash. If it's just a SHA-1 hash and the password isn't very strong, you won't have much trouble.
Also a risk for people with vendettas against specific tumblr users (which, to my understanding, is a big issue on tumblr).
At least one major benefit of SHA over MD5 is that you won't trivially find collisions and thus compromise the accounts of even those users with strong passwords...
I've changed my Tumblr password after this just in case, but it was some approximately hundred character random password generated by Lastpass before that.
So let's say half the ASCII range, which gives us this number of possible passwords:
I'm pretty sure even if it's just stored as single-iteration sha1() cracking it would take until the heat death of the universe.Still, the hash time for a SHA1 is fairly insignificant at this point.
you're an:
https://haveibeenpwned.com/
Knowing who leaked your email or sold it to spammers
Being able to stop spam by deleting the email
You could even consider binding the email to a domain so the address would only accept emails from the domain you gave this email address.
You don't really want different mailboxes, you want one mailbox with different aliases. An alias becomes a "communication token" which can be revoked, very much like when paypal gives a payment authorisation token to an ecommerce website. If that token gets leaked, no big deal, no one else can use it. A single email address is more like a credit card number.
The per_site_suffix can be anything you want.
As an industry, I think we need to rethink the way we develop, package, and deploy web apps. The fact that we rely on individual developers and sysadmins to get security right, perfectly, every time is crazy. In an ideal world the prod environment should protect me from shooting myself in the foot, and the OS should be running a hardened-by-default, single-purpose system image that doesn't require bespoke knowledge to make secure.
While far from perfect, I think the PaaS vendors (AppEngine and Heroku) got a lot of things right in this regard. [Disclaimer: I work for Google, but not on Google Cloud.]
But some of the password hashing algos used, no salting, making all password characters lower-case in the background, etc. are not hard things to avoid. So when a site is hacked and the user information stolen and we find that stuff out, it's safer to assume other security practices where also subpar.
A few years after I left, their DB was compromised, so someone got a list of email addresses with clear text passwords.
http://www.businesswire.com/news/home/20160531005770/en/Time...
So when my email gets reissued i'll have to track down every single website it's linked to and purge any personal information etc. Fantastic.
Out of curiosity, what do the usernames (aka local part) of the e-mail addresses look like? Are they based on names/initials? Are they arbitrary?
My high school followed a similar structure, but had the graduating year as a suffix, implying that they would never be reused.
I wouldn't be surprised if this was rampant in educational institutions who have to provision emails to people with identical names all the time.
(those addresses are mine, first the generic ID, then the generic ID [at] faculty, then prefix [at] generic (I don’t have one), then prefix [at] faculty; first comes first serve on prefixes)
I'm not sure what to make of that information, since I know it's not a recycled email address.
lastpass has been hacked multiple times revealing ALL your passwords. the compromise is obviously to not use it and when ONE of the services you used is hacked you lose ONE account rather than them all.
I've taken to doing the thing they tell you never to do: I write my passwords down on a piece of paper. Criminals can get access to my passwords, but they're going to have to travel to my house to do it.
For example, D&D Online and Heroes of Newerth both were compromised.
Here's my question...what recourse is there beyond resetting passwords? If a company did something as dumb as store my PW in plaintext, do I have any realistic legal recourse for what seems pretty negligent? I'd assume I'd have to prove damages of some sort, and I am not a fan of an overly litigious society, but it seems there is no real recourse for impacted users.
- HaveIBeenPwnd contains the data on sale here
People downplay the probability and importance of these issues, but the situations where you loose your phone are often the situations where you need access to your online accounts. One such situation can do far more damage than all the hacks combined. (For example, someone steals your backpack with your phone and wallet. Horror scenario: someone steals your backpack with your phone and wallet in a foreign country.)
In short, loss of access must be considered as a tradeoff.
Loosing anonymity due to phone-based 2FA is another issue that never seems to be considered in these discussions.
Finally, phone-based 2FA discourages you from splitting your accounts. (It's a bit of a hassle even with one email. Imagine managing 5 or 6.)
Not sure how anonymity factors in here. How can typing a number into your phone to set up TOTP then typing the resulting numbers back into your already-authenticated account deanonymize you?
Finally, yes, adding more security is a hassle. But if you're willing to add 5 seconds to your login on one account, I don't see why you'd be super against doing that for multiple accounts.
It appears some random words aren't necessarily random. Words like 'shadow' and '1q2w3e4r'.
Fascinating!
> Oh no! Someone has my email address and unique hashed password, they should be shot!
We detached this subthread from https://news.ycombinator.com/item?id=11809297 and marked it off-topic.
My opinion is that people who commit those acts need to be killed as an example to others.
Some will argue that they perform a public service of some sort, but the fact is, they're bullies, plain and simple. They are past any public service point and now are off into lulzland, where they're selling this information because they will profit from it. I cannot envision that there is any sense of remorse in these people, either.
I am fairly certain they will get away with this - odds are against them ever being caught in a country with a decent enough justice system to apply a lasting verdict. Even finding enough proof to convict is a very long shot.
The part of me that despises bullies, though, wants to line them up in front of their colleagues and say "Do what you want, but remember, there are consequences. This is consequences." and turn them into a thin, red smear.
I try to avoid posting while angry these days, because it's really pretty useless. Sometimes, though, can't help it.
It is easy to be on high moral ground when you can just get a normal job in economy with <6% unemployment and rich family to back you up, funding your overpriced college.
NSA spy people and have probably more private information than your Ashley Madison "secret" email. There more dark web than you can imagine and hacking Tumblr is just silly.
And that justifies their acts?
You're right. It's easy to be all moral and ethical when you don't face those kinds of challenges. I'll even grant you that I have failed a few moral and ethical challenges while living in my safe little world.
I own that.
And I have zero sympathy for those bastards. They made a choice to steal and then a further choice to release that information for others to do more harm and to try and make money while doing it.
You know the saddest part?
I look at all the threads related to this story and I'm the only one who's even outraged by this. Most people are pretty blasé about it (kind of understandable) and many of you are defending their actions.
Are we that disconnected that we no longer recognize right and wrong? Have we reached a point where we can say "Fuck the 1st worlder. He can buy more privilege."?
Russian Hacker have a choice: - hack for Russian Government, potentially leading to people being killed. - hack for blackmail where hacked western company will need to pay fee data/ddos. - work as bounty hunter making pennies for sometimes weeks of work.
Someone from US with the same skill is working as: - penetration tester, - security consultant, - do bounty hunting as hobby
Majority of hacks you will never hear, It is only happening when: a) Company decide not to pay blackmailers and screw the users,(Tumblr?) b) Competing company pay for hack to destroy competitor(Ashley Madison?), c) Is done by foreign country as mean of attack (Estonia/Github)
Single people being blackmailed is usually done by friends family. Let say that you "best" friend knew about "your" Ashley Madison account, he would use this as opportunity to blackmail.
Were Russian vegetate in the middle of Siberia, US gentleman is having fancy dinners in SF. If you want to have moral outrage do it for US companies Yahoo, Google for sharing data with Chinese Gov.
In my experience this simply isn't true. The part about nationalities, yes somewhat. But these guys certainly mostly aren't living in particularly bad situations, they're just guys that figured out that the risk/reward ratio is heavily in their favor.
>It is easy to be on high moral ground when you can just get a normal job in economy with <6% unemployment and rich family to back you up, funding your overpriced college.
You can hardly compare a "normal job", even if it pays 200k a year to a part time job where you can make anything between 500k to millions of dollars a year.
Are you by chance a tumblr user?
"Anyone who disagrees with my assertion should fuck themselves with a rusty bat"
The only site that does it more excessivly is 4chan but there is no vitriol in their statements they're just trying to shock. Tumblrites are saying it loud and unabashed in an effort to create comedy, but there is truth in their "jokes" and it seeps through.
Being "allowed to live" after exposing bad security is something you only hear in really exceptionally bad countries, or tumblr.