On Tue, Aug 12, 2014 at 8:42 AM, Anton Aylward <opensuse@antonaylward.com> wrote:
. . . but one reads frightening stuff like hackers scooping millions of passwords
Which journalists play into headlines. Someone drilled down on that and found many of those "millions" were actually garbage.
From what I understand there are nefarious sites where I can get millions of actual passwords that people have used. Then I can get the hashed equivalent of all those passwords.
Thus a bad actor can pull down the million or more most common passwords and their linux equivalent hash. If he can then get access to the hashed passwords maintained in /etc with a relatively quick reverse lookup and can determine what the password was for each account. I do more of this in Windows world than in Linux, but in Windows the first then an attacker goes for after they breach a PC is the SAM files. Those have the windows encrypted passwords. With that, they run reverse lookups to figure out what the various user passwords are. I've watched a white-hat cracker break the administrator password on a windows box in under 10 minutes after he got the SAM file. Thus the secret is to have long unusual passwords if you want them to be secure even if someone is able to get the hashed version of your password. I assume open office docs have the hashed password embedded in them somewhere, so for them it is especially important the password be long and unusual. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org