Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Posts File Containing Registered User Data

Posted by Soulskill on from the heads-up dept.

wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."

154 comments

  1. atleast by Anonymous Coward · · Score: 1

    at least they told their users

    1. Re:atleast by Anonymous Coward · · Score: 0

      At least they say that they have told their users.

      There fixed that for you, since I'm an affected user and I never got an e-mail about it (and I've checked my spam folders).

    2. Re:atleast by JackieBrown · · Score: 3, Informative

      I got one last night.

      Mozilla Add-ons to davidbroome
      show details 6:52 PM (11 hours ago)
      Dear addons.mozilla.org user,

      The purpose of this email is to notify you about a possible disclosure
      of your information which occurred on December 17th. On this date, we
      were informed by a 3rd party who discovered a file with individual user
      records on a public portion of one of our servers. We immediately took
      the file off the server and investigated all downloads. We have
      identified all the downloads and with the exception of the 3rd party,
      who reported this issue, the file has been download by only Mozilla
      staff. This file was placed on this server by mistake and was a partial
      representation of the users database from addons.mozilla.org. The file
      included email addresses, first and last names, and an md5 hash
      representation of your password. The reason we are disclosing this event
      is because we have removed your existing password from the addons site
      and are asking you to reset it by going back to the addons site and
      clicking forgot password. We are also asking you to change your password
      on other sites in which you use the same password. Since we have
      effectively erased your password, you don't need to do anything if you
      do not want to use your account. It is disabled until you perform the
      password recovery.

      We have identified the process which allowed this file to be posted
      publicly and have taken steps to prevent this in the future. We are also
      evaluating other processes to ensure your information is safe and secure.

      Should you have any questions, please feel free to contact the
      infrastructure security team directly at infrasec@mozilla.com. If you
      are having issues resetting your account, please contact
      amo-admins@mozilla.org.

      We apologize for any inconvenience this has caused.

      Chris Lyon
      Director of Infrastructure Security

    3. Re:atleast by Golddess · · Score: 1

      How do you know you're one of the affected users? Did you download the file and find your email address?

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
    4. Re:atleast by TheLink · · Score: 1

      How do you know you're one of the affected users? Did you download the file and find your email address?

      Could be too busy trying to find other people's passwords ;).

      --
    5. Re:atleast by doti · · Score: 1

      maybe not all users were affected

      --
      factor 966971: 966971
    6. Re:atleast by PitaBred · · Score: 1

      Are you sure you were affected? It wasn't all users of addons.mozilla.org, just a subset.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    7. Re:atleast by Anonymous Coward · · Score: 0

      Good thing I don't use *that* browser, because this kind of negligence with user data has never happened with MSIE, Opera, Safari, nor Chrome.

      And it is negligence, not just a simple mistake, because someone obviously didn't care enough about that file to make absolutely sure it was not uploaded, period.

    8. Re:atleast by vrmlguy · · Score: 1

      [...]The reason we are disclosing this event
      is because we have removed your existing password from the addons site
      and are asking you to reset it by going back to the addons site and
      clicking forgot password. We are also asking you to change your password
      on other sites in which you use the same password. Since we have
      effectively erased your password, you don't need to do anything if you
      do not want to use your account.[...]

      We apologize for any inconvenience this has caused.

      Chris Lyon
      Director of Infrastructure Security

      This has inconvenienced me.

      Over the years, I've used different password schemes; for a few years I used a few passwords of different tiers, then I switched to using passwords built from the domain name, and most recently I've used LastPass to start setting up unique cryptographically secure passwords everywhere. At least with the Gawker screwup, I could figure out which password I'd originally used with them and then check if there were other places that used the value.

      Since Mozilla doesn't seem to be making the compromised hashes available, I have no idea if I was using the same password as I did for other services, so I guess I'll need to change everything that isn't yet using a password generated by LastPass. I was migrating in that direction, but this has accelerated my schedule.

      (Yes, I know that LastPass imported all of my passwords from all of my web browsers. Unfortunately, I had a bunch of passwords that were lost a few years back when my laptop crashed and my Firefox profile wasn't being backed up.)

      --
      Nothing for 6-digit uids?
    9. Re:atleast by kiddygrinder · · Score: 1

      microsoft let about 40000 hotmail accounts with passwords out, is that close enough?

      --
      This is a joke. I am joking. Joke joke joke.
  2. Don't fret before reading TFA... by ferongr · · Score: 2, Informative

    TFA says that it was the user database of the AMO (addons.mozilla.com) website, nothing to so with the Sync server.

    1. Re:Don't fret before reading TFA... by Tukz · · Score: 1

      Which is exactly what I gathered from the resume.
      Since Mozilla mailed the users on adons.mozilla.org, I assumed it was the database with users from adons.mozilla.org that was compromised.

      --
      - Don't do what I do, it's probably not healthy nor safe. -
    2. Re:Don't fret before reading TFA... by cheater512 · · Score: 4, Informative

      Nope no exploit. They just accidentally made a backup publicly accessible.

      They went through the logs and no one actually downloaded it except the person who notified them of the problem.

    3. Re:Don't fret before reading TFA... by Anonymous Coward · · Score: 0

      No-one mentioned exploits before you... The database was compromised, even if by accident.

    4. Re:Don't fret before reading TFA... by Anonymous Coward · · Score: 0

      ... and how many people did that person send it to?
      Did that person keep it? Can that person be trusted? Has that person's computer been compromised?
      There is a risk of the dump being available even if only that one person downloaded it.

    5. Re:Don't fret before reading TFA... by Anonymous Coward · · Score: 4, Funny

      I just checked with the RIAA and they said that it is likely that thousands of people downloaded it from that person's machine.

    6. Re:Don't fret before reading TFA... by ehrichweiss · · Score: 2

      I wish I had mod points and that you weren't logged in as A/C because *that* my friend is CLASSIC!

      --
      0x09F911029D74E35BD84156C5635688C0
    7. Re:Don't fret before reading TFA... by tunghoy · · Score: 1

      LOL!

  3. Mozilla's public disclosure by Giorgio+Maone · · Score: 5, Informative

    http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
    Active accounts have their password SHA-512 hashed with per-user salt, so they're safe (for a while). However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
    1. Re:Mozilla's public disclosure by WillKemp · · Score: 1

      However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

      If they can remember what password they used and where else they might have used it... I got the email, but i'm buggered if i know what password i used for that account. Chances are it was a disposable one that i use for accounts i don't care about, but i couldn't say for sure.

    2. Re:Mozilla's public disclosure by Giorgio+Maone · · Score: 1

      If they can remember what password they used and where else they might have used it...

      If you use Firefox's password manager you can ask it (Tools|Options|Security|Saved Passwords|Show passwords) and even search among its entries, by site, username or password.

      Otherwise I'm afraid you will need to change them all :(

      --
      There's a browser safer than Firefox, it is Firefox, with NoScript
    3. Re:Mozilla's public disclosure by Yvanhoe · · Score: 1, Funny

      I always wondered what the implications of password reuse were...
      http://xkcd.com/792/
      Ok, maybe not that bad

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    4. Re:Mozilla's public disclosure by Rich0 · · Score: 5, Interesting

      if they have the bad habit of using the same password everywhere

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

      Passwords are false security - they are a way to CYA and blame the victim for causing the problem, while giving them no realistic solution. Sites that depend on their users choosing unique passwords for security are simply insecure, period.

    5. Re:Mozilla's public disclosure by noidentity · · Score: 1

      if they have the bad habit of using the same password everywhere...

      That's the problem. A server operator should ideally only have to manage access to his server. If he somehow leaks username-password pairs, then he should simply have to ensure that nobody gains unauthorized access to those accounts. Putting passwords used ELSEWHERE is just asking for trouble. For some reason I think about published interfaces to modules, and people using them in ways not documented, then having their code break when this undocumented behavior changes. Here the undocumented behavior is that your password won't get leaked. All the server operator should have to guarantee is that your ACCOUNT doesn't have unauthorized access. So even if your password is leaked, he can ensure that. But if you used your password for information that compromises accounts on other machines, you made the error. Just my thought on this matter.

    6. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      best xkcd ever!

    7. Re:Mozilla's public disclosure by Lincolnshire+Poacher · · Score: 1

      > I can't create and remember 100 distinct strong username/password combinations on all of those websites

      Apparently "computers" can be "programmed" to perform information retrieval operations.

      Perhaps some "software" such as PasswordSafe or MyPasswordsafe could be used for password creation, secure storage and on-demand retrieval.

    8. Re:Mozilla's public disclosure by MobyDisk · · Score: 1

      I can't create and remember 100 distinct strong username/password combinations on all of those websites

      You don't have to if you use a hash. Ex: My slashdot password = my base password + an easily computable hash of the word "slashdot." You know ASCII? Take the ASCII values for the first and last vowels of the site and sum them together. Something like that. Do the same for every site, then write down the user name + the word you used to hash it. (It is usually easy to guess, but with some sites you have to make rules like remove the spaces and punctuation or ignore the numbers)

    9. Re:Mozilla's public disclosure by MosX · · Score: 1

      Why don't you just incorporate the first couple of letters of the site used into the password?

    10. Re:Mozilla's public disclosure by mgoff · · Score: 1

      What alternative do you propose?

      LastPass

    11. Re:Mozilla's public disclosure by tukang · · Score: 1

      why don't you md5 some of your guesses to see if the hash matches? this assumes they didn't salt the md5 hashes

    12. Re:Mozilla's public disclosure by Rich0 · · Score: 2

      That's great, and how do you propose keeping all those passwords secure and synchronized across multiple devices and operating systems, some of which I'm not permitted to install software on?

      It isn't like I only access the web from one terminal...

    13. Re:Mozilla's public disclosure by Xtense · · Score: 1

      If you don't trust automated password keeper software and don't want to clutter your brain too much, just tier your passwords. Seriously. Have a set of five, maybe six levels of passwords with different levels of length and complexity. Lev1 on throwaway accounts you won't miss, Lev2 for accounts you don't use often but return once in a while, Lev3 for untrusted websites you need to use regularly, Lev4 for trusted sites containing no specific data, Lev5 for trusted domains with your private information, Lev6 for the holy-fucking-shit-if-this-were-ever-hacked-i'd-lose-everything-and-kill-myself places. Obviously, it goes without saying that you shouldn't ever write these down anywhere - and I mean everywhere.

      This is a pretty good compromise between different passwords on every site and using just one everywhere. It's not a security measure good enough for the 3l33t and/or paranoid, but it should be enough for the average internet-enabled Joe.

      Bonus points if you change your passwords once in a while.

      --
      "We are the music makers, and we are the dreamers of dreams [...]."
    14. Re:Mozilla's public disclosure by Rich0 · · Score: 2

      What would be the point?

      Suppose the gizmodo password hashes are leaked, and somebody figures out that my username is rich0 and my password is gizmodo875.

      Does it do me any good that my slashdot password is slashdot875?

      This is why password aging is useless - if somebody finds the password of useless12 no longer works on a site that enforces aging they just have to log in using useless13 and that will work for 99% of accounts.

    15. Re:Mozilla's public disclosure by gbjbaanb · · Score: 2

      That's great, and how do you propose keeping all those passwords secure and synchronized across multiple devices and operating systems, some of which I'm not permitted to install software on?

      postit notes of course!

      Ok, I use Keepass which is brilliant, and will work on your phone too, so you have no excuse to have a DB of passwords (randomly generated by Keepass itself if necessary). The db and app is tiny and will happily install onto other systems (by copying the keepass binary and the db file) so you only need to find a way to keep your db file updated... personally, I use a usb drive as my passwords don't change that often. If I have to copy it onto a computer that doesn't allow usb... I zip and email it to myself instead.

      Its not an insurmountable problem, and the relatively minor inconvenience of being organised with 1 file is a lot less hassle than updating a hundred sites that you used a single compromised password on.

      Xmarks is still kicking though, that lets you store passwords and you can encrypt them, not that I use it for passwords.

    16. Re:Mozilla's public disclosure by Xtense · · Score: 1

      > Obviously, it goes without saying that you shouldn't ever write these down anywhere - and I mean everywhere.

      And this, dear Slashdotters, is why you should drink coffee before posting. Or just think before posting. ;]

      --
      "We are the music makers, and we are the dreamers of dreams [...]."
    17. Re:Mozilla's public disclosure by multipartmixed · · Score: 2

      > Bonus points if you change your passwords once in a while.

      I change my "Lev6" passwords now and again, and those are the only ones I write down -- because they DON'T have password recovery mechanisms.

      I write them down in my phone, which I keep on me at all times, and a trusted friend knows how to retrieve them in case I get killed.

      The reason I change them now and again is because I occasionally lose my phone... :/

      --

      Do daemons dream of electric sleep()?
    18. Re:Mozilla's public disclosure by JeffAMcGee · · Score: 1

      One technique is to use a password that is a function of the website domain name. For example, all of your passwords could be the number of characters in the second level of the domain, a random string, and the first letter of the domain. For slashdot, the password would be "8RANDOMs". This won't protect against a person who knows your password, but it will stop a script that knows 44,000 username/password pairs and blindly submits them to websites.

      --
      This sig cannot be proven true.
    19. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      How do I use that on a work computer that I do not have admin rights to, and on which I'm forbidden by policy to install software on?

      Also - the website is hazy on how it manages synchronization - I'd prefer not to have to give some random service provider cleartext passwords to all of my accounts.

      Sure, password vault programs are a band-aid to a fundamental problem, but they are not a good solution.

    20. Re:Mozilla's public disclosure by brusk · · Score: 1

      Lastpass.

      --
      .sig withheld by request
    21. Re:Mozilla's public disclosure by Rich0 · · Score: 3, Insightful

      I think you're stretching "easily computable" - when I want to log into a website I don't want to spend 10 minutes with a calculator and an ascii table, or require access to the md5sum application.

      Plus, this only works if it remains an uncommon way of generating passwords. If it becomes commonplace, then if a hacker can run through a bazillion md5 sums do you think that it will take them long to include variants of site names represented as ascii in their attacks? Once they figure out your algorithm through brute-force then it can be trivially applied to any other sites you have accounts on.

    22. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      Using KeePass

    23. Re:Mozilla's public disclosure by xenapan · · Score: 0

      If you FINISHED reading the article...you would know
      a) only Mozilla staff and the ONE 3rd party person who informed them ever downloaded the file
      b) it was a PARTIAL representation. All accounts were inactive
      c) all the passwords were wiped and the file pulled.

      this is non-news really.
      1) The only 3rd party download informed mozilla so they obviously have no malicious intent.
      2) unused accounts.
      3) no way to use those passwords since they were wiped... the one person who downloaded the passwords COULD try and login to other sites with the same email and combo and thats about it. (see 1)

      --
      insert funny sig here
    24. Re:Mozilla's public disclosure by ghyspran · · Score: 1

      Everything I've read by someone who seems to know what he's doing says that writing down passwords is a good idea for most people, and I tend to agree. Writing down passwords and keeping them safe, say in your wallet, gives you a backup in case you forget and lets you be less afraid to pick a long, tough password for fear of forgetting.

    25. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

      Actually, I have a unique password for each site I visit, and I'm far from a savant of any kind. It's quite easy and simple really. Instead of memorising 100 different passwords, memorise one single method of generating a password. I use the URL and other info as input into a single algorithm that generates a unique password for each site. In practice, it takes me around 30 seconds to work through it in my head and come up with my password. On sites that I use frequently, the proper password becomes second nature very quickly, so I don't actually have to work through the algorithm any more. You'd be surprised how many passwords you actually can end up remembering this way.

    26. Re:Mozilla's public disclosure by Xtense · · Score: 1

      It's just me then probably ;) . I'd rather trust my memory jello than a scrap of paper or an electronic device to keep my most important information both accessible to me and private. Sometimes there are situations where you must leave your phone or wallet somewhere and I'd rather part with them and their contents than my most secure passwords. Of course, given a drug-and-five-dollar-wrench situation, i'm screwed either way, but up until now, I could always remember every one of my passes - and some of them are very long and very random. If i change a high-security password, i perform a series of test logins from a secure and trusted terminal until I can log in correctly ten times in succession without any delays on my part. I've been doing this for up to six years now, so I suppose it comes with practice, but it makes some pretty big assumptions on the security of the password. This method, for instance, surely wouldn't work in an office high-security environment, where passwords are changed pretty often.

      --
      "We are the music makers, and we are the dreamers of dreams [...]."
    27. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      Use OpenID on non-essential accounts. You will then only need passwords for a handful of accounts. Insist that web sites use OpenID if they already do not.

    28. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      How do I use that on a work computer that I do not have admin rights to, and on which I'm forbidden by policy to install software on?

      Stop being lazy and research it on their site. They have bookmarklets that will log you into any of your sites automatically by filling out the forms for you. All you have to do is log into their site, once.

      Also - the website is hazy on how it manages synchronization - I'd prefer not to have to give some random service provider cleartext passwords to all of my accounts.

      Again, stop being lazy and read their site. Your passwords are encrypted (using your master password) and only that encrypted data is ever sent out of your computer.

    29. Re:Mozilla's public disclosure by Artsemis · · Score: 1

      LastPass is great.

    30. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      Looked into it - doesn't seem like it supports android unless you pay for it. Keepass seems to be another popular option, but that doesn't support Chrome OS.

      It seems like these are all bandaids - SSL or something like that is probably a better option, with the key being kept in a smartcard. We just need to have the browser standards updated so that future browsers refuse non-SSL connections in the future so that everybody gets on-board. I don't see that happening anytime soon, but that is what it would probably take to have security. If security isn't built into the standard then it will never really get proper attention.

    31. Re:Mozilla's public disclosure by wastedlife · · Score: 1

      Depending on your usage/network availability I would recommend either LastPass or a combination of KeePass and a file-syncing solution like dropbox.

      If anywhere you would need your passwords you have internet access, LastPass is completely web-based and has good phone integration with mobile versions of the site and apps.

      If you may need to access your passwords with no internet access available or do not trust a third-party with your passwords, I would recommend KeePass and a file-syncing solution. It uses an encrypted database file and a lightweight piece of software to access this file. It is cross-platform (including mobile) and has portable versions for when you are working from a thumbdrive on a computer you do not own.

      I support network equipment for a living, so I need to be able to access the passwords for those devices even if I do not have network access. Thus, I use KeePass and DropBox to sync it with my computers and android phone.

      --
      Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
    32. Re:Mozilla's public disclosure by OverlordQ · · Score: 1

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites.

      Use one password. But from that password generate one-per site based on the domain name. All you have to remember is one password, the rest can be generated on demand. here you go.

      --
      Your hair look like poop, Bob! - Wanker.
    33. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      Looked into it - doesn't seem like it supports android unless you pay for it.

      It's $1 per month, I don't think that is a huge cost for awesome software.

    34. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      Looked into it, seems pretty good. The only issue is that I have to pay $12/yr to use it from all the platforms I use, which is about $12/yr too much. The other option I see is Keepass, which is open source, but it doesn't seem to support Chrome OS.

      These are really all just band-aid solutions to the real problem. The real problem is that HTML does not mandate any strong authentication mechanism, so everybody just picks the path of least resistance, which is a password.

    35. Re:Mozilla's public disclosure by Archangel+Michael · · Score: 1

      If you can't, then you're not thinking right.

      All you need is an algorithm to generate usernames and passwords based on website name. Perhaps something like ...

      mynameslashdot/slashdot1234abcd. ... that way, each site gets its own login ID and Password, but is EASILY remembered. Now of course that is a simplified example, yours should be more meaningful and unique, but just as easy for YOU to remember. That is something that a computer wouldn't be able to easily regress to a generic algorithm and then exploit.

      The problem is that nobody is teaching people that it is possible, only that it is hard (or impossible) as you have done.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    36. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one.

      Two things immediately come to mind.

      * First, if a website asks you to create an account, consider whether you really need it. You may not actually need accounts on hundreds of different sites.
      * Second, use a program like Password Safe to organize your passwords. It can even generate random passwords to you in accordance with various policies (goodbye dictionary attacks).

      Of course it would also be nice if we didn't need passwords, but I fail to see how that can be made to work while retaining anonymity/pseudonymity. There's solutions like OpenID, but if I create an account on my "home site" (say, Slashdot) and then use it to log in to a hundred other sites, all these other sites will be connected not just to my Slashdot account but also to each other. It may not be such a big deal if you're already using a unique username that pretty much identifies you, but not everyone does, and even if you do, it a) removes all doubt and b) actively pushes the info out to all those sites, rather than simply putting it within the reach of a google search (which they'd still have to do themselves).

      OpenID also has the problem that everyone wants to be a provider, but not a consumer. "Other people can use their identity from my site and use it elsewhere on the net? Great, I get more exposure! People from other sites start appearing on my site and plastering my competitors' names all over it? Not cool." That's how management thinks, at least.

      Anyhow, passwords may not be ideal, but what alternative is there?

    37. Re:Mozilla's public disclosure by Artsemis · · Score: 1

      It's well worth the $1/month. My login info is synchronized among not only all of my browsers but also all of my devices... the password generator built into it is very nice -- you give it the criteria (10 characters, numbers, letters, symbols) and it'll generate your password and fill in the form you're filling out, as well as save it. I agree with you that things *should* be better but they are not and I haven't seen a better "band-aid" than LastPass. If you're interested in a more thorough review and tech users' thoughts, search LifeHacker for articles on it... there's been quite a few lately.

    38. Re:Mozilla's public disclosure by MobyDisk · · Score: 1

      I think you're stretching "easily computable" - when I want to log into a website I don't want to spend 10 minutes with a calculator and an ascii table, or require access to the md5sum application.

      Then do whatever you are comfortable with in your head. I just gave an example.

      Once they figure out your algorithm through brute-force then it can be trivially applied to any other sites you have accounts on.

      Yes, that is a valid limitation. But it is not a reason to avoid using the algorithm. Most hackers aren't interested in determining your personal password trick, that takes too much time. They want to grab that Bugzilla password and try it on your bank accounts. When it doesn't work, they will move on to the next person.

      The point is, this trick is not perfect security. But it is an enormous improvement over using the same password over and over.

    39. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      passwords are encrypted on the host computer and the encrypted store is synched. if you can't install software, you can access your latest synch store through their web interface using your key, and they have bookmarklets for easy access/auto-fill. they also support for two-factor auth with a pre-printed unique table or a physical device like a Yubikey.

      most of their client tech is open source (or at the very least, source viewable) if you want to dig into it.

    40. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      the web interface and bookmarklets are free, and honestly often better - especially on the iPhone, where lastpass struggles against the jailed nature of apps.

    41. Re:Mozilla's public disclosure by godel_56 · · Score: 1

      How do I use that on a work computer that I do not have admin rights to, and on which I'm forbidden by policy to install software on?

      Keepass Portable does not require installation. Also the PasswordMaker add-on for Firefox has a compatible portable desktop version (Windows).

    42. Re:Mozilla's public disclosure by xlotlu · · Score: 1

      What alternative do you propose?

      Password Hasher: https://addons.mozilla.org/en-US/firefox/addon/3282/

    43. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      HTML should not be dictating authentication schemes. you have no idea what you're talking about.

    44. Re:Mozilla's public disclosure by StikyPad · · Score: 1

      Yes and no. If it's a targeted attack against your specific account, then it makes sense to run through a set of likely possibilities (increment/decrement the digits in the password), but if the attacker just want to access accounts en masse, such as to send Twitter spam, then they likely won't bother if the login doesn't work on the first attempt.

      --
      https://www.eff.org/https-everywhere
    45. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      Well, the spammer is going to go for path of least resistance - he needs accounts and 500 is as good as 800 most likely.

      However, if by some miracle the advocates of stronger passwords get everybody to rotate passwords with numbers at the end, 5 lines of python on the attack scripts will be sure to try incrementing numbers at the end of each password when they get a failure.

    46. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      Add Bookmarklet to favourites.

      Data is encrypted by Javascript BEFORE leaving your machine: it is impossible for LP staff to know your master password nor your data stored with the system

      Nothing happens over HTTP, it's all HTTPS, and one time pads etc can also be used.

    47. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      KeyPassX

    48. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      What do you expect? It's Chrome OS that isn't a real platform so it not anybody's fault but Google's that Google doesn't support a local place to store anything so they don't support these solutions. That means Chrome OS shouldn't be stopping you from using it, KeepPass and LastPass etc. should be stopping you from using Chrome OS. If you really think it is secure, you need to understand security better. Chrome OS and the firmware aren't even open source, despite Google claiming Chrome OS is `fully open source`. Yeah there's Chromium OS, but they don't give you the firmware, or make the stuff like Flash easy to install like in the Ubuntu install - one click and it does everything like the mp3 codec and Flash, plus Google adds a bunch of extra stuff (like the logo but more) so no one can recompile the code and check against the already compiled software to detect whether Google added anything else.

      HTML is a markup language. The idea that HTML - just because it's a fundamental technology - must be a collection of components like HTML5 is, is as ridiculous just as an online-only OS. But yes an open standard for video is better being built into the browser.

      Andy Rubin, Google Android Chief, 2010 - "The world doesn't need another platform."

    49. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      I could really use one of those "programmed computers" you speak of, where might I acquire one if you don't mind me asking?

    50. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      My understanding is that HTML5 supports local storage. Chrome OS also supports local storage, and of course there is dropbox/etc.

      Lastpass actually supports Chrome OS just fine. The problem is that it doesn't support Android unless you pay for it. Keepass supports Android, but doesn't support Chrome OS.

      Relax - just because an OS doesn't run your favorite piece of software or whatever doesn't mean that it is useless. I've found that I'm able to do 95%+ of everything productive I do on a PC from Chrome OS already, and I understand that they're working on an NX/Citrix-like solution for some of the niche apps that don't fit.

      In any case, a secure standard for authentication sounds like exactly what the web needs - whether it be dictated by HTML6, or HTTP, or whatever. SSL is already 80% of the way there - we just need to make it universal and support more secure key-storage such as in smartcards that are user-controlled, not issuer-controlled.

      I'm sure that when Andy came out with yet another platform (Android) that others were saying the same thing... :) Whatever...

    51. Re:Mozilla's public disclosure by tepples · · Score: 1

      We just need to have the browser standards updated so that future browsers refuse non-SSL connections in the future so that everybody gets on-board.

      Such a future is far off. Obligate use of HTTPS won't happen until either A. all cable, DSL, satellite, and mobile ISPs offer IPv6 service, or B. people stop using Windows XP and other non-SNI-supporting SSL stacks. All the free StartCom SSL certificates in the world won't help if you don't have a dedicated IP address to know which certificate to send to the client who has connected to your web server:443 and wants to see a cert before providing the HTTP/1.1 Host: header.

    52. Re:Mozilla's public disclosure by tepples · · Score: 1

      Keepass Portable does not require installation.

      "Portable applications", or applications installed to removable media, don't work if Windows Group Policy has been configured not to allow executing code from removable media or from the home direc^W^W user profile.

    53. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      Why does strong authentication require every client to have a static IP/etc?

      I can implement a webapp today that uses client-side SSL certificates for authentication just fine, without the client having a static IP/etc. The only thing that is missing is getting the private key off of the PC and onto a smart card/etc.

      There is no reason that such a standard needs to be implemented in a poor way.

    54. Re:Mozilla's public disclosure by Anonymous Coward · · Score: 0

      Mozilla included the email address of their infrastructure security team, saying feel free to contact them.
      So I asked them to send me my information, so that I'd have some blessed idea of where to start changing passwords.
      Have I heard back? Nothing yet...

    55. Re:Mozilla's public disclosure by jrumney · · Score: 1

      $700 for a simple utility to remember passwords? And that assumes the price stays constant.

    56. Re:Mozilla's public disclosure by icebraining · · Score: 1

      We just need to have the browser standards updated so that future browsers refuse non-SSL connections in the future so that everybody gets on-board.

      Why exactly do I need HTTPS to connect to any random website where I don't log on to? Why would I need to lose proxy level caching, add overhead (both in CPU and traffic), forcing small websites to pay for certificates, etc?

      --
      Dilbert RSS feed
    57. Re:Mozilla's public disclosure by icebraining · · Score: 1

      HTML is a document markup language, why would it mandate authentication at all?

      Facebook Connect / OpenID / OAuth are the best bet right now. If you want, you can authenticate to your provider using private key auth, and then your provider authenticates you to the website without it having to support PKs or you having to upload your public key everywhere.

      --
      Dilbert RSS feed
    58. Re:Mozilla's public disclosure by Rich0 · · Score: 1

      Yup, I'm a fan of OpenID, actually. If only more sites actually supported it...

  4. Kudos to Mozilla by duvel · · Score: 5, Interesting

    This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are:
      - Communicate early (even if you don't have all the facts yet)
      - Communicate honestly (even if you're to blame)
      - Promise follow-up (as needed)
    Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

    --

    I have a photographic memory for numbers. I know almost a hundred of them.

    1. Re:Kudos to Mozilla by partyguerrilla · · Score: 2

      I disagree, mistakes like this should not happen at all.

    2. Re:Kudos to Mozilla by McDee · · Score: 1

      No, the basic rules are:
            - Don't post sensitive user data on public sites

      The rest is damage limitation.

    3. Re:Kudos to Mozilla by kestasjk · · Score: 3, Funny

      Here at slashdot we try to be supportive when tech companies make mistakes; we never kick people when they're down or make fun.

      Mozilla may not be our favorite tech company and we may not agree with their software development methodology; but damn it we're not going to treat them any differently, and will give them our support just like we would any down-on-their-luck company which made a silly one-off mistake!

      --
      // MD_Update(&m,buf,j);
    4. Re:Kudos to Mozilla by higuita · · Score: 4, Insightful

      it should not happen, but we are all humans (i think!!) and human people do mistakes (and scripts/robots break and fail by the way)

      all of us that administer servers have done some mistake in the past and probably will make more in the future. We can try to put enough road blocks to reduce the severity of the mistake, but they happen.

      so as "sh*t happens", the openness and honesty of mozilla is to praise, most close source companies would try to hide and ignore things like this.

      --
      Higuita
    5. Re:Kudos to Mozilla by cbope · · Score: 1, Insightful

      So, are you proposing that the offenders be drawn and quartered? Where are the torches and pitchforks?

      I mean come on, we are human after all and humans make mistakes. They have owned up to this mistake and you seem to want to make an example of them.

      But then, I suppose *you* have never made any mistakes. It must be great to live in a world that is so black & white.

    6. Re:Kudos to Mozilla by jamesh · · Score: 1

      The rest is damage limitation.

      Or, as the OP said, crisis communication.

    7. Re:Kudos to Mozilla by Opportunist · · Score: 5, Insightful

      No, they should not. But mistakes happen where humans are at work. The question is, how do these human then deal with the problems they caused?

      The usual is to hush-hush and hope nobody notices. Mozilla could have done just that, and with far better conscience than other companies who followed that practice. According to the logs, the file was downloaded once, and that's by the person that informed them about the mistake. Essentially, one could assume that this is as "safe" as it gets considering the blunder. If they just decided to shut up about it, probably nobody would have noticed.

      But is that the right way to deal with a problem that can potentially affect your customers?

      I quite strongly recommend NOT chewing them out for making a mistake but actually applauding their very considerate approach to dealing with it. Consider the "learning effect": Chew them out and the learning effect is that it's better to just hush up when you lose customer data, especially if the chance of it getting into the wrong hands is slim. That's pretty much what most other companies do, and even if it gets out it rarely causes more than a bit of a tempest in a teapot on /.

      Outside the security concerned tech community, nobody even notices.

      So yes, mistakes like that should not happen. But they do. They happened, they happen and they will happen as long as humans are somehow involved in the process. Hence I welcome how they dealt with it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Kudos to Mozilla by jamesh · · Score: 2

      I disagree, mistakes like this should not happen at all.

      That's a given, but mistakes will happen, and did happen, and they did the right thing in response. Once the crisis is over i'm sure they'll look at what went wrong and how to stop it happening in the future, so stepping up onto a soapbox and saying "this should not happen" doesn't actually help. I think they already know that, and your attitude makes it _worse_ because potential hostility from people who don't understand this stuff might make companies think twice about reporting, and then we all lose.

      The only thing worse than making a mistake is making a mistake and then making another mistake by not handling the crisis correctly. I'd rather know before the bad guys (or as soon as possible after) that my password was leaked in a relatively insecure form vs only finding out when the company is forced into admitting it. And in fact this leak appears to be relatively benign unless you use the same password in multiple places or are dumb enough to be under the illusion that your email address and full name isn't already in someone's inbox or address book somewhere for malware to find.

    9. Re:Kudos to Mozilla by Urkki · · Score: 1

      I disagree, mistakes like this should not happen at all.

      If you believe there are companies who haven't and/or will not do mistakes as bad as this, you're naive.

      So, when it's a given that mistakes like this happen, basically to every large organization, every once in a while, do you rather trust an organization that communicates about it, and you can be reasonably certain you know their screw up rate, or the one who tries to hide the mistake, and you don't know how many mistakes they've managed to hide already?

    10. Re:Kudos to Mozilla by LordBullGod · · Score: 0

      This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are: - Communicate early (even if you don't have all the facts yet) - Communicate honestly (even if you're to blame) - Promise follow-up (as needed) Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

      Are you frekin serious? Mozilla posts some user data, says sorry, and it is ok? Fanboyz have no limits.... If this was MS that posted user data, you would want them to burn like in th eSalem witch trials. Gezzch....amazing

    11. Re:Kudos to Mozilla by wisnoskij · · Score: 1

      It is nice to hear them being honest, it is so annoying how most companies do not do this.

      I know of many examples from friends, family, and myself where we have irrefutable proof that a company has screwed up and what do we get every-time? Either the company does not respond or they say nothing is wrong.

      I wonder if some study has been done and it is actually better for companies to deny fault even when they know they are wrong.

      --
      Troll is not a replacement for I disagree.
    12. Re:Kudos to Mozilla by DJRumpy · · Score: 1

      Aren't they required by law to disclose any breach of private information, at least in the US? I don't know that this is as altruistic as it sounds.

    13. Re:Kudos to Mozilla by mwvdlee · · Score: 2

      Wow, why didn't we all just think of that?
      All we need to do is be perfect; it's so simple!

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    14. Re:Kudos to Mozilla by MosX · · Score: 1

      They didn't just say sorry. They informed users and tried to fix the problem. That's more than a lot of companies would bother doing in this case.

    15. Re:Kudos to Mozilla by partyguerrilla · · Score: 1

      I can't help but wonder if you people would be so forgiving and even apologetic if there was any sensitive information, like billing data, exposed by this mistake. I still don't see how they handled it well, or how they could have possibly handled it worse after the incident.

    16. Re:Kudos to Mozilla by yoshi_mon · · Score: 1

      If this was MS that posted user data...

      You clearly miss the point. If this was MS they would be in full spin mode to a) deny that they did anything, it had to be someone else's fault, b) that what happened was not bad anyway, and c) some 3rd totally irrelevant, yet made out to be A REALLY BIG DEAL, point designed to distract people away from the real issue.

      However I seriously doubt, given what I can tell from your post here, that you will ever really 'get it'.

      --

      Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
    17. Re:Kudos to Mozilla by mcgrew · · Score: 1

      If MS had posted user data you'd never have heard about it, which is why Mozilla is being praised.

      --
      Free Martian Whores!
  5. Good thing I used the same password on Gawker by Anonymous Coward · · Score: 0

    I mean, why make it difficult for identity thieves?

  6. Leaks by f.ardelian · · Score: 0

    Oh Boy, Julian really did it this time!

    --
    I'm being Insightful or I'm trying to be funny. Seriously, no trolling! Maybe!
  7. They handled it well by Mouldy · · Score: 1

    But that doesn't excuse the fact they messed up in the first place. What mozilla have done is plain careless. I know, 'accidents happen' - but I'd rather they didn't and I don't trust companies not to keep making mistakes with user data.

    1. Re:They handled it well by Opportunist · · Score: 3, Insightful

      Consider the consequences if it doesn't "excuse" it.

      Essentially, a company making a mistake has two choices: Hush it up or come forwards. Now, obviously the latter does not have any immediate benefit for them. It becomes known that they fucked up. Not good.

      Trying to cover it up has the nice effect that maybe nobody notices. And in this case, the chance of this happening was actually pretty high.

      If the net effect is the same, whether they cover it up or admit it, the choice is obvious. If I get accused of a crime and whether I plead not guilty (and hence force a lot of witnesses to testify and clog down the legal system) or guilty (and spare the witnesses to face me again, as well as running the whole process with far less waste of resources) has no effect on the verdict, nobody will plead guilty and confess anymore. Why should they? There's nothing to gain with it, is there?

      If you condemn a company making a mistake no matter whether they admit it or try to hide it, nobody will admit it anymore. And that can cause quite a bit more harm if that info gets into the wrong hands and hence your passwords get known by people who might abuse them, all because a company decided to play possum and you not knowing that your credentials have been compromised.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:They handled it well by Anonymous Coward · · Score: 0

      If you condemn a company making a mistake no matter whether they admit it or try to hide it, nobody will admit it anymore.

      And if you completely exonerate a company that admits a mistake, nobody will bother with preventative measures.

      Ideally, they still deserve some condemnation but not as harshly as if they had covered it up.

    3. Re:They handled it well by Opportunist · · Score: 1

      Those that are security conscious will certainly react. Those that are not would not even react if a company got caught trying to hush it up.

      I'd say that they will get their reaction, whether you "punish" them or not.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. One more illustration by Anonymous Coward · · Score: 0

    why you shouldn't give anyone personally identifyable data in the first place. Because personally sensitive data is like the genie in the bottle: Once it's out, there's no putting it back. No, I don't know what "anonymous registrations" would look like. Let's find out.

  9. AGAIN? by bemymonkey · · Score: 1

    Seems like just yesterday I was deleting my Gizmodo account...

  10. fake names and password vaults by Inigo+Montoya · · Score: 1

    One more reason to (a) use fake names everywhere except your bank accounts and, (b) use a password safe application like KeePassX or LastPass to save unique passwords for every site you visit.
    This will minimize your exposure when something like this happens again at another site.

    1. Re:fake names and password vaults by koxkoxkox · · Score: 1

      But, but, you mean you are not Inigo Montoya ? At least someone did kill your father, right ?

  11. What's next? by Demonoid-Penguin · · Score: 1

    I applaud the timely and transparent response - and I admit I'm heavily biased in favour of (F)OSS.

    I've looked (quickly) but been unable to find details on how this was able to occur - do any Slashdot readers know? Could you post or point to the information please.

    This is all I could find out:-

    We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

    Also - what, if any, steps are being taken to prevent it happening again?

    1. Re:What's next? by Opportunist · · Score: 1

      I can see a few ways how this could happen. E.g. run the wrong copy batch, the "public" one instead of the "private" one. Maybe a careless drag and drop copying process (your finger never slipped from the mouse button?). There's so many ways to have a file end up where it should not be...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:What's next? by Demonoid-Penguin · · Score: 1

      I can see a few ways how this could happen. E.g. run the wrong copy batch, the "public" one instead of the "private" one. Maybe a careless drag and drop copying process (your finger never slipped from the mouse button?). There's so many ways to have a file end up where it should not be...

      I sincerely hope that's not the scenario. Though it sometimes seems like a disturbingly common practice to have a system (or lack thereof) in place that makes that possible. I guess I'll have to dig through the mailing lists to answer my own question. (not that I don't trust Mozilla, just curious)

  12. So... by FunPika · · Score: 1

    Are any of these users Massachusetts residents. :)

    --
    After years of not using a signature, I am going to make one to say the following: Fuck Beta
  13. Government-Issued ID Needed by Anonymous Coward · · Score: 0

    This is another example of why we need the government (at least here in the U.S.) to provide a single (biometric, if possible) ID and GUID for each user of the internet.

    Problems like this one (and Gizmodo's) would simply disappear. You'd never need to memorize a password again, or worry about it getting lost in the wild and causing all kinds of havoc.

    As an added benefit, it would eliminate "internet anonymity" so the Internet would become a much safer place. It's obvious we'd be much better off, even identity theft would vanish.

    We already have the foolproof technology in place, so why is everyone avoiding it?

    1. Re:Government-Issued ID Needed by joebagodonuts · · Score: 1

      No, it isn't

      --
      "Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
  14. I think my Gmail was hacked because of this by kbg · · Score: 4, Informative

    The day before this was noticed my Gmail account was hacked by Chinese spammers and I know I used the same password there. So I am skeptical about the claims that no one had downloaded this file. The email only says when they noticed the problem, but doesn't specify how long the file was available before that. It could have been available for a long time.

    1. Re:I think my Gmail was hacked because of this by Anonymous Coward · · Score: 0

      Since it was hacked and the password is now worthless, would you say what the password was? No hunter2 :(

    2. Re:I think my Gmail was hacked because of this by Anonymous Coward · · Score: 0

      May I give you an advice? Don't you ever, EVER used the same password in both your email and any other account. The same goes for any other important site (home banking, etc). At most you'll have to manage 3 or 4 passwords at the same time, but at least you'll minimize any damages for such leaks.

    3. Re:I think my Gmail was hacked because of this by mwvdlee · · Score: 1

      How do you know is was hacked by _CHINESE_ spammers?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    4. Re:I think my Gmail was hacked because of this by kbg · · Score: 1

      Because the IP used for the hack originated from China and the spam was advertising some chinese scam site where the bank account for the payments was a chinese bank.

    5. Re:I think my Gmail was hacked because of this by mwvdlee · · Score: 1

      I didn't know you could see the server logs from gmail.
      Any chance this might have been ordinary, random spam?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    6. Re:I think my Gmail was hacked because of this by multipartmixed · · Score: 1

      How old is your AMO account database entry? If it's newer than 2009, it's really unlikely they managed to crack the SHA-256.

      It's much more likely that your gmail account got cracked because Chinese hackers spend A LOT of effort in mass-cracking gmail accounts.

      --

      Do daemons dream of electric sleep()?
    7. Re:I think my Gmail was hacked because of this by kbg · · Score: 1

      No the spam was being sent from my account to all contacts in my address book. You can see Last account activity in Gmail which reveals which IP addresses has accessed your account recently.

    8. Re:I think my Gmail was hacked because of this by kbg · · Score: 1

      It's older than 2009, so it was only MD5 which is easy to crack. The password was composed of random letters so I don't think it could have been mass cracked by brute forcing Gmail.

    9. Re:I think my Gmail was hacked because of this by Anonymous Coward · · Score: 0

      you idiot gmail shows the last handful of ips you logged in from

      not that fucking hard to geo-lookup that information...

  15. Please tag article "firefail" by Anonymous Coward · · Score: 0

    Seriously, these are the people who are writing a browser, and they don't even know how to create a secure infrastructure. Perhaps they should stop squandering their money on stupid projects and eye candy, and take care of their own house first?

  16. Gee, will you look at that. by Anonymous Coward · · Score: 0

    Gawker has its private information stolen, whereas Mozilla just hands it out for us.

  17. You sir, are a troll, but I'll bite anyway. by Anonymous Coward · · Score: 1

    It's really convenient to ignore details like australian schoolkids faking fingerprints for the absentee system with gummi bears. Yes, that's right, gummi bears. The basic problem with biometrics is that it is always easier to fake than replace the "identity", meaning that once that data is compromised (replay attack, anyone?) the prudent thing and indeed the only recourse left for the government is to kill you. Is that what you want?

    Problems like this and gizmodo won't go away at all, the data in their database will just change. Your needing to memorize a password hinges on availability of biometric- and card readers and supporting infrastructure, software, and such. And of course, anonymity is the source of all evil, despite the fact that the founding fathers made heavy use of it to discuss giving form to the USA. Maybe we should burn all whistleblowers on the stake too, just to be sure. So you admit that you are living in sin in a provably evil country too? Report yourself to the nearest extermination station, citizen. Friend computer knows best.

  18. Encrypting passwords is less secure by Dr_Barnowl · · Score: 3, Insightful

    Urrgh.

    Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

    MD5 hashing is probably still a secure practice, done right, for a given degree of "secure". Like any kind of data security, it's all about raising the cost of obtaining the data beyond the amount that a given person is will to pay to do so. While MD5 costs less to crack these days, the cost to obtain each Mozilla user account password is probably still higher than most are willing to pay (although stealing the resources to do this via a botnet probably reduces this cost considerably).

    Given equally sound methodology, encrypting passwords is always less secure than hashing them, because encryption implies that you can retrieve the plaintext, which leaves it open to all sorts of additional attacks, like stealing the encryption keys along with the data, "persuading" the sysadmin to decrypt them with either a rubber hose or a wad of cash, etc, etc.

    On the other hand, hashing means that you genuinely cannot retrieve the password without expending a large amount of CPU time, and persuasion isn't going to help.

    Any site that will emails you your password as plaintext is doing it wrong - there is no reason that any authentication system should be able to retrieve your plaintext password. It's acceptable to offer a means to force a password change, it is NOT acceptable to send my password to me via a medium that any intervening server could read, and it's not acceptable to be storing passwords as plaintext or even encrypted when it is demonstrably less secure than hashing and there is no benefit to retaining them.

    In fact, you should mail the sysadmin of any such system and let him know that his system is doing it wrong, and why.

    1. Re:Encrypting passwords is less secure by mysidia · · Score: 3, Informative

      Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

      Only if the keys are compromised.

      The correct thing to do is to encrypt each password and protect the key by storing it in a different place; for example, by storing it in a different database, and having a separate application that performs authentications, so no single application has access to both databases.

      That way, if the user file / user database is leaked someone cannot simply use a MD5 brute force attempt with some rainbow tables and a dictionary to get everyone's password.

      This is most useful when the plaintext version of the password is required for authentication processes such as CHAP or CRAM-MD5 authentication.

      When it is not required, you are best off taking a secure crypto hash of the password with a secret salt, and then encrypt the list of SHA1/SHA256 hashes.

      If the password file is leaked with the list of SHA256 hashes, they will be useless without the ability to find or guess the salt that was used to compute each password.

    2. Re:Encrypting passwords is less secure by carlhaagen · · Score: 4, Informative

      No, you're actually wrong - in the context of password protection, encrypting passwords means using a one-way encryption scheme. The method is in some ways similar to hashing, but the common process used is actually that of a modified version of the Blowfish crypto cipher resulting in a non-reversible output. The process is very time-consuming compared to generic hashing such as MD5, SHAx etc., and is practically impossible to create rainbow tables for, practically impossible to bruteforce. You can educate yourself further on the topic here: http://codahale.com/how-to-safely-store-a-password/

    3. Re:Encrypting passwords is less secure by TheSpoom · · Score: 1

      Any site that will emails you your password as plaintext is doing it wrong - there is no reason that any authentication system should be able to retrieve your plaintext password.

      Not necessarily, if the email was sent as part of the registration system (wherein the password may still be in memory from the user entering it). Of course, it's bad practice to send a password in plaintext at all to a persistent medium like email or a database.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    4. Re:Encrypting passwords is less secure by Anonymous Coward · · Score: 1

      Upvote parent for codahale link.

      Also, grandparent is forbidden from ever writing any code related to crypto.

    5. Re:Encrypting passwords is less secure by Anonymous Coward · · Score: 0

      using 6 character all lowercase (plus numeric) passwords is silly to begin with.
      This "bcrypt" argument is silly. Making a hashing algorithm take longer so that it's harder to create brute force attacks is a waste of CPU cycles. Forcing fairly secure passwords, 9+ characters from at least 3 character sets (upper, lower, numeric, special and hashing them using the registration creation date as the init vector (salt) is more than adequate. I don't care how big your CUDA cluster is it'll still take eons to brute force a SHA256 of a decent password.

    6. Re:Encrypting passwords is less secure by Anonymous Coward · · Score: 0

      That works in the case where users have strong passwords. I am willing to bet that the overwhelming majority do not have strong passwords.

      bcrypt *is* the current optimal solution for password storage. scrypt is an up and coming competitor, but it doesn't hasn't been subjected to the same amount of scrutiny as bcrypt.

    7. Re:Encrypting passwords is less secure by Firehed · · Score: 1

      I don't care how big your CUDA cluster is it'll still take eons to brute force a SHA256 of a decent password.

      And this is different from bcrypt how, exactly? All of these systems are preventative measures to take such that if your password storage is to leak, it will be impractical to retrieve those passwords. So plaintext is obviously worthless. Typical encryption (two-way) is lousy since as soon as the attacker compromises the key, everything else is lost (and if the attacker has an account on the site, that probably won't be exceedingly difficult, all things considered). SHA1 and MD5 are better than nothing, especially when salted, but I can run about a million attempts per second on my laptop on either of those hashes. SHA256 is better, but it's only marginally slower to build rainbow tables. bcrypt allows me to specify the cost per run, and you can make it damned expensive. Pick a cost between 4 and 31 - 4 is three orders of magnitude slower than SHA1 (on my machine), a cost of 10 is 5OOM. 14 took over a second per pass. I stopped my testing at 22 when it took over five *minutes* to get the output from a very short password (6 lowercase letters, I think) and it doubles with each increase.

      Suffice to say, it will take quite a while to bruteforce that.

      --
      How are sites slashdotted when nobody reads TFAs?
  19. Time to change your password by mysidia · · Score: 1

    including email addresses, first and last names, and an md5 hash representation of user passwords."

    How long before we see a file on bittorrent?

    With plaintext passwords derived from crack MD5 hash representations.

    Time to change your password, if you have an account on Mozilla's website. Repeat with any other online resources (such as e-mail accounts or accounts with other websites) you used a similar password on.

    1. Re:Time to change your password by Anonymous Coward · · Score: 0

      Knock yourself out. Me, I'm less inclined to be that paranoid / want to work that damn hard. I have a a full time job + family + enough responsibilities to occupy my time.

      While I can understand your point of view, I just have a hard time getting my give-a-shit level up enough to do what you suggest. Instead, I think I'll treat this like the trivial event that it is and continue on with my day.

  20. Re:BULLSHIT. That is not the right attitude. by GameboyRMH · · Score: 1

    I've been using an AJAX email client for the last few years and plan to use (a different) one in the future, seems like a great idea.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  21. Get it out of the users table by Twillerror · · Score: 1

    This was likely someone doing a classic "select*fromusers" query. Hopefully this doesn't trip the sql injection filters :)

    If the hash had been in another table and that table had very restrictive permissions on it then this probably could have been avoided.

    The same problem is likely going to occur with databases that are being hit by Ajax calls or through some kind of proxy. If you don't want a column to make it's way out put it in a seperate table/db and restrict everyone but the key DBAs and web servers from it.

  22. Re: What alternative do you propose? by Anonymous Coward · · Score: 0

    I use an algorithm to incorporate some letters from website name into password, thus for each website my password is different. You can shift the letters by one to make them less obvious.
    Over the time my algorithm changed a few times to make it less obvious. Also, I use different level of complexity depending on how secure it should be. This created a mess, and I started storing them on my smartphone. However, I only store info what algorithm I used, not the password itself. So, should I lose my smartphone, the passwords are still relatively safe.

    Hope this helps and I don't get hacked after giving it all away :)

  23. Keepass by SuperBanana · · Score: 1

    What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

    Keepass. Clients are available for all major platforms, desktop and mobile. Combined with Dropbox, I can add/change passwords to the database on any system and my other systems are updated. This includes my Android mobile phone. One could implement something similar with rsync or something, I imagine...

    Also, consider a common password, but one modified through some easily-remembered scheme. For example, use two words with a number inbetween. Add a letter after the number; make it the second letter in the site's domain name (ie dropbox would be r). Whoever steals thousands or hundreds of thousands of passwords is interested in getting into sites with identical passwords; your password scheme is safe unless they get the passwords to more than one site...even then, you're still a little due to safety in numbers; attackers are still only interested in the easy targets, just like the people who go down the street testing car door handles until they find the unlocked car.

    --
    Please help metamoderate.
    1. Re:Keepass by Rich0 · · Score: 1

      I like the concept behind keepass since it is open-source, but they seem to be missing a Chrome OS client.

      Wouldn't it be better to just use SSL or something like that, and get rid of passwords altogether? Granted, that requires every site on the internet to get more serious about security. I guess if we get enough worms it will eventually happen...

  24. Use mobile SuperGenPass by Anonymous Coward · · Score: 0

    It only uses clientside javascript to generate passwords for each site based on your one remembered password Sure that means changing the password for every site, but you only have to do that once, then never again need to store passwords. You can even make a bookmarklet to generate the passwords if you get blocked from using that site.

  25. Why would I give my real last name? by Anonymous Coward · · Score: 0

    Unless you are internet-ignorant, you don't ever give your real first and last names to websites unless you need to (e.g. your bank or healthcare). Addons is the least likely website to get my real last name.

  26. Super Gen Pass works and is very simple by MCRocker · · Score: 1

    SuperGenPass is a simple bookmarklet that can generate hashed passwords based on a master password. Like KeePass and LastPass you only need to remember one password, but unlike those, it doesn't store anything and you can use it pretty much anywhere.

    --
    Signatures are a waste of bandwi (buffering...)
  27. Let me be the first to say by uninformedLuddite · · Score: 1

    I run Linux so I am completely safe from this sort of thing(let me get it out of the way for some of you - Whoooosh)

    --
    The new right fascists are bilingual. They speak English and Bullshit.
  28. Re:Mozilla and Firefox - Four Years of Fuckups... by Anonymous Coward · · Score: 0

    Causes Memory - Google Update plugin that shouldn't be there. (remove this from the directory)
    Stability - Google Toolbar poorly coded.
    Non-standard directory usage (component directory instead) - Google Desktop Search.

    Disable AVG, Norton browser "helper" add-ons.

    There performance becomes better. 3.x.x is slow because it's memory usage is low. It has been more memory effective since 3.0, or are you only counting one Chrome process?

    Use portableapps.com Firefox 4 beta, don't run it at the same time and you'll see things (like performance) have improved.

    You can use Opera instead you know, that would be a little more productive, and there are other organisations to go around on forums about, Facebook is a good example of bad things it has done which affects a lot of people.

    Of course there's Safari or Maxthon if the others don't float your boat.

  29. Client IP vs. server IP by tepples · · Score: 1

    Why does strong authentication require every client to have a static IP/etc?

    Current SSL requires the server to have a dedicated IP per hostname, not name-based virtual hosting, because it has to send the certificate before it gets a chance to see the Host: header. It need not for the client because the client already knows what client-side certificate to send for a given host.

    The only thing that is missing is getting the private key off of the PC and onto a smart card/etc.

    Agreed. I just wanted another chance to remind readers of why HTTP without SSL still exists at all. Another problem is how to get the web site to distinguish between an authentic smart card and a PC that has been compromised to emulate an attacker's smart card.

    1. Re:Client IP vs. server IP by Rich0 · · Score: 1

      The way you tell if the smart card is authentic is via challenge-response. When you create a gmail account you send the server a certificate from your smartcard. When you log in you provide the certificate again, the service sends you a challenge which you give to the smartcard, and the smartcard prompts for a PIN on its internal keyboard, and then after verifying the PIN it computes a response using the private key stored inside that never leaves the card.

      Without extracting the key from the physical smartcard (they are designed to make this almost impossible) you can't forge a valid response.

      The website doesn't know if a real smartcard was used, but that doesn't matter. The point is that the user got the level of security they asked for.

      Now, if it is important to verify an actual identity (unique individual) then you just make sure the certificate is signed by the appropriate issuing government agency. Most likely they would only agree to sign certificates whose keys are protected by secure hardware, and perhaps government-issued hardware at that. Regulation would of course dictate what these IDs can and cannot be used for, as is the case with social security numbers today (perhaps with actual teeth in the regulations).

      I agree with your point about virtual hosting. That is also something that needs to be fixed in the protocol.

  30. re: Mozilla Posts File Containing Registered User by toxickitty · · Score: 1

    Least Mozilla actually tell you when something like this happens, I can't count how many times in the past I've heard of credentials going missing and hearing it from a news site and NOT the company. We can still scold them for not being careful but at least they tell us, Mozzila 3.