On 08/12/2014 11:06 AM, Greg Freemyer wrote:
. . . but one reads frightening stuff like hackers scooping millions of passwords
Which journalists play into headlines. Someone drilled down on that and found many of those "millions" were actually garbage. From what I understand there are nefarious sites where I can get millions of actual passwords that people have used. Then I can get
On Tue, Aug 12, 2014 at 8:42 AM, Anton Aylward <opensuse@antonaylward.com> wrote: the hashed equivalent of all those passwords.
Thus a bad actor can pull down the million or more most common passwords and their linux equivalent hash. If he can then get access to the hashed passwords maintained in /etc with a relatively quick reverse lookup and can determine what the password was for each account.
I'm not arguing with what you are saying but I think you are missing my point. So there are sites which have gathered together millions of passwords. But they haven't got those by visiting machines like ellanios's step-and-repeat one by one and seeing that she and other have a text file wherein they keep they passwords and Lo1! Its not encrypted. Rather they visit the sites that people like ellanios, you and me have accounts at but are run by admins who are less savvy and have allowed their systems to be hacked and either don't have one-way encryption of their passwords, keep them in cleartext or whatever, AND have allowed the hackers to break in and take whatever they want. Now I admit that given enough computing power even one-way salted encryption might not be enough. Encryption has always been a catch-up game, but SHA-2 or SHA3 in 512 bit mode should hold against all except the NSA (and overseas equivalents) and botnets-of-GPUs. But the real issue is that most of this is outside your control. It is the weaknesses in the sites you visit that are the issue, and sites like Yahoo, Google and Amazon are tempting ebcuase they have tens of millions of accounts. And these are real accounts, not the spamgrabbers like "junk@....". Finally that hacker is not interested in what's in your /etc/password. He, she or increasingly 'it' - since this is getting to be a business and not a lone geek - but what's in your bank account, your paypal account (since that's all integrated with ebay). Look at what's integrated with Google these days under a 'single sign-in'. Loo what can be federated to your LinkedIn sign-in. Yes, I, and ellanios, may have lists of other accounts on our machines, but why would the hacker bother when he has the rich trove from breaking in to some service provider? Plain text. Heck, I can even keep my password in an old moleskin that I keep behind the books on the shelf by my computer in case I ever loose my disk and all my backups, and SO FREAKING WHAT!!! Someone would have to break in to house, pass up on many more valuable things in display cabinets, rip down all my nooks and recognise that the tatty old moleskin is the key to accessing my ..... G+ account Like I said, its about risk management. Your greatest risk is in the web sites out there you access. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org