Formspring Hacked - 420,000 Password Hashes Leaked

wiredmikey writes with news of yet another business suffering a data breach. From the article: "Formspring, the Social Q&A portal ..., admitted to being breached on Tuesday. The compromise led to the loss of 420,000 passwords, forcing the site to reset all member passwords. Mirroring the recent LinkedIn breach, Formspring said that it was alerted to a forum post that contained 420,000 password hashes. Engineers shutdown the service and confirmed the passwords were indeed theirs. In less than a day, an investigation revealed that the attacker(s) had 'broken into one of our development servers and was able to use that access to extract account information from a production database' .... There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident."

420,000?

420,000? Is that like 100,000 people smokin' the reefer?

Re:420,000?

[vlm]

420,000? Is that like 100,000 people smokin' the reefer?

More like 420,000 people use(d) something I've never heard of?

I wonder if unknown websites would make up some imaginary accounts and intentionally release them to create buzz?

Its not like there's any penalty for public release of information, and all PR is good PR anyway, so..

Re:420,000?

[Fnord666]

More like 420,000 people use(d) something I've never heard of?

Exactly. One of the articles even concludes with

Interestingly, while it gained popularity early on, most users who were reporting that they had received a password reset notice had forgotten they even registered with the service.

Re:420,000?

[k(wi)r(kipedia)]

I wonder if unknown websites would make up some imaginary accounts

That or they harvested and spammed some 400,000 email addresses using some sort of web promo where you fill in your contact details for a chance to get a freebie.

Network Isolation

[Archangel+Michael]

When are people going to get a clue and do proper network isolation of servers ... especially Database servers. There should be no way to attach to a database from outside network. Production and testing servers should all be on sandboxed networks that don't touch the outside.

Re:Network Isolation

...well, at least not without SSH (rejecting password auths if you have reliable console access).

Re:Network Isolation

[vlm]

I'm old enough to have had that very argument during the original SQL slammer infestation and the replies were along these lines:
1) Who cares, security costs money but insecurity is free, or free PR advertising anyway.
2) Thats just one bug, one time, I'm sure its completely secure now
3) Webservers were not originally built to be secure, but they pitifully bolted some security on and no one blinks at putting them bare on the net, so why worry about putting something originally designed to be secure on the net?
4) False sense of security means behind the firewall we'll get owned 10 times more often than if we stay paranoid and keep it on the public "dmz". The eternal crunchy outside and soft chewy inside argument. Who knows more about making a DB secure, a DBA or a firewall dweeb? So lets place it on the net and trust the DBA.
5) 99.9999% of databases getting powned are due to no input sanitizing and buffer overruns and other epic programming fails by those idiot web guys, so we may as well place the mysql server open on the net anyway since the web guys leave the barn door wide open almost all the time anyway.
6) Our hard coded back door password in the webserver executable closed source app is "password" so I think having the server outside is the least of our concerns. (prioritization)

Anybody ever hear anything else thats relevant?

Re:Network Isolation

[nedlohs]

Surely dev occassionally need a copy of the production DB to replicate bugs and so on? You clean out the passwords and emails and so, but probably on the dev server so at some point there's a copy of the production DB in the dev environment.

If you have remote workers then your dev environment needs to be accessible over a VPN or something (and so is touching the outside) - Indian workers are cheap after all.

Re:Network Isolation

I'm old enough to have had that very argument during the original SQL slammer infestation and the replies were along these lines: 1) Who cares, security costs money but insecurity is free, or free PR advertising anyway. 2) Thats just one bug, one time, I'm sure its completely secure now 3) Webservers were not originally built to be secure, but they pitifully bolted some security on and no one blinks at putting them bare on the net, so why worry about putting something originally designed to be secure on the net? 4) False sense of security means behind the firewall we'll get owned 10 times more often than if we stay paranoid and keep it on the public "dmz". The eternal crunchy outside and soft chewy inside argument. Who knows more about making a DB secure, a DBA or a firewall dweeb? So lets place it on the net and trust the DBA. 5) 99.9999% of databases getting powned are due to no input sanitizing and buffer overruns and other epic programming fails by those idiot web guys, so we may as well place the mysql server open on the net anyway since the web guys leave the barn door wide open almost all the time anyway. 6) Our hard coded back door password in the webserver executable closed source app is "password" so I think having the server outside is the least of our concerns. (prioritization)

Anybody ever hear anything else thats relevant?

Imagine if the tanker truck driver felt that way about fire safety. Or if electricians felt that way about getting shocked. Imagine if doctors felt that way about using sterile equipment. Or what if your water utility felt that way about making sure the water was potable (morons saying things like "well I mean bacteria are everywhere so why bother right?").

If malicious hackers make this kind of stupidity more painful then at least they're doing SOME good in the world. That's what corporations and sociopaths need anyway, right? A selfish reason to do the right thing? A selfish reason like potential losses, or humiliation. How tragic.

Re:Network Isolation

[sl4shd0rk]

When are people going to get a clue and do proper network isolation of servers

You apparently read alot about security but haven't done much enterprise administration.

Database servers behind a second DMZ with reverse proxying always look great on paper, and start life out that way but what always happens is there is some "corner case" piece of software which doesn't work with your setup and you need to make an exception. Next, the developer group will explain they've wrote their applications to use "realtime" data and the subset of data you've copied out to the DMZ DB is 6 hours too old. You go to the DB Admin and ask him what it would take to increase the frequency of the Oracle dump and he explains it already takes 6 hours to complete and the dump locks tables so you have to do it at night when Sales and Marketing are not using it. You find out the backups are running after the dump process and the network is quite saturated as it pulls 1500G over the wire to the archive SAN. As a result it takes you another 2 hours to get the subset of data moved out to the DMZ. This whole process takes about 12 hours to run and since you are on the West coast you can't tie up the network or the DB for an additional 2 hours or the Midwest offices can't begin work at 8am. Eventually the boss screams he wants it fixed whatever the cost so someone dual-homes the DMZ database so things can get sucked off the back-end on a separate wire. Sunddenly, developers start using the second nic to connect directly to the DMZ DB but you find out all the added traffic on the second gig nic tops out the old Sun box taking all it's spare CPU cycles with it. The nail in the coffin finally comes in when the AD server in the DMZ is found to have been compromised for over 6 months and has been siphoning data off the Oracle connector to some place in China.

This is why compromises happen and why we can't have nice things like secure database setups.

Re:Network Isolation

[Charliemopps]

And if the production and database servers are "in the cloud"? Kind of hard to isolate them then, aint it?

I've run into this before. We've got a DB that's hosted in a "cloud service" then we have idiot supervisors/management that want to do training... so they set all their training accounts to
Username "training1"
Password "training1"

We find out, force them to change it. Next thing we know, they're trying to sick VPs on us... "Why are you making it hard for my department to train?!?! It's only a test server!"
Explaining that it's a duplicate of production doesn't seem to phase them... It's kind of irrelevant which database the hackers get into when they are identical to each other. Calling one "test" is kind of irrelevant from a security standpoint.

Re:Network Isolation

[History's+Coming+To]

The doctor analogy is an interesting one - a doctor won't go through a full surgical scrub and use a sterile theatre for giving an innoculation because the risks of introducing a little bacteria into the skin aren't huge, a sterile needle and an alcohol wipe-down are sufficient. In the same way, if you have properly salted hashes using a strong algorithm, and you're not storing personally identifying information (names, CC details etc) then your DB doesn't have to be massively secure. Start storing card details or the like, and yes it does. It's all about going to the right level of effort - I store IP/DOB/TIMESTAMP data for a alcohol related site to prove due diligence, there's nothing particularly sensitive so I don't use lots of encryption and so on. If it gets leaked then the attackers don't get any particularly useful info. When people register an account, however, we store names, email addresses and DOBs together, so that DB has significantly more protection.

Re:Network Isolation

[postbigbang]

There is a good reason why I'm not hiring you. Ever.

You do shoddy work, and rationalize it.

If your chain of authorities aren't clean, nothing is clean, and you risk all.

Re:Network Isolation

[History's+Coming+To]

I do work for a client who doesn't have the budget for large commercial level systems. If they ask for something that would require something "shoddy" then I explain that it's not practical at their budget. Example: they wanted to take online payment for tickets. I could have written a custom system to deal with it all but I'm well aware that it would be outside their budget and at the limit of my capabilities, so I pass the problem on to PayPal. On the other hand, if they need due diligence records for the 18+ aspect of the website then I can do that in an afternoon without risking exposing any personally identifying information. There's shoddy and there's efficient, the important thing is knowing the difference.

Re:Network Isolation

[RabidReindeer]

Anybody ever hear anything else thats relevant?

Yes. "IT Doesn't Matter" (http://www.nicholasgcarr.com/articles/matter.html). The argument that IT is just another commodity that should be purchased as cheaply as possible.

Amusingly, General Motors has apparently now decided that IT matters after all (http://www.itworld.com/it-managementstrategy/285577/gm-set-move-away-it-outsourcing).

Re:Network Isolation

You can't have nice things because reality always wins. No matter what you do, your database will somehow be wired to the Internet. That's its purpose.

You can VLAN it, make proxies, make one way push-connections such that you replicate the writable system in realtime to read-only nodes in a special DMZ with just one port open to your application server in its own DMZ that has only a service port open to the webserver.

Bottom line is you just make more hosts to compromise in order to get to the database.

Now... I have a client who actually has an application with their a production databases authentication system stuck outside the DMZ. A state government of course. That's an example of just...doing it totally wrong.

But really, the role of a database is to receive and send data. Unless it's just a glorified read-only filesystem, you have things that need to connect to it to write. You have things that have to read. Some of these will be things publicly available. Applications will query/submit more frequently as the hardware and software supports it. They'll expect you to cluster for performance.

It isn't that devs wrote the program to require realtime, it's that...people want realtime data. You need to structure your network to defend in depth. VLAN and isolate machines. Run application and host firewalls. Have strong passwords and encryption, even on your trusted LAN.

The key is proactive management, thought, analysis. Your appserver should have an account on that database, or its proxy service should. What permissions does it need?

Does that 'global-read' account your companies first sysadmin created for their fifth developer back in 2001 still need to exist, or can it be limited to a 'application-reader' account, and then eventually to an 'application-user-level-reader' ?

It's natural to want to keep that database locked up, but...it's there to be used. Sure, ideally no public facing application *ever* connects to the database. They should all be using internal RPC/SOA (if only for load/scale/distribution). They shouldn't have any passwords or even public keys... just some config files pointing at RPC services with holes punched in the DMZ.

But virtually nobody ever pays to architect a program that way initially. Especially the type of place that hires outside contractors (virtually everyone). You buy a new website with a CMS, and they think they run on a dedicated server with its own local install of mysql and the password is 'spongebob' saved in the php.ini

Management doesn't think to put otherwise in the contract, doesn't consult for help on getting it written. Even if they did they wouldn't like the cost and time. So... your databases live in reality.

Network isolation is a guideline, not a rule.

Oh, and I can one-up you on dual homing... when we had some RAID speed issues slowing up the database at a job a few years back, someone didn't believe me and x-over-cabled the production database right into their webserver so some CGI script could pull raw tables for some new JSON table loading script.

They (and I) could actually demonstrate some minor speed improvements... (since they skipped a switch there was just less latency in their foolishly unpooled connection setup).

Probably still plugged in today...

Re:Network Isolation

When are people going to get a clue and do proper network isolation of servers ... especially Database servers. There should be no way to attach to a database from outside network. Production and testing servers should all be on sandboxed networks that don't touch the outside.

'people' are not the problem, ignorant cost-cutting management are the problem.

I'll bet the techies have been telling management how to do it right and management did not understand and would not spend the money.

Re:Network Isolation

[postbigbang]

Referential integrity is important. I know dbas that use the same complex password for all of their tables, triggers, queries, and apps. Tough password. Once broken, everything is omelet. Pass the cheese.

Elemental/atomic security, chain of authorities, referential integrity, are all important. There is a place between where your customer will offer you a "price" for something that you'll take, but it's up to par. If you accept that price and deliver substandard infrastructure, then your guilty of many bad things. If you refer them to another provider, and that provider is doing the right thing, great. Would you refer refer them to a provider that you can't vet? Your reputation is on the line.

US courts have recently raised the spectre of "best practices" regarding online bank fraud. The bar was recently raised. Liability for you, your client, and your provider have all changed-- and it's about time. "Efficient" can be a weasel word, a rationalization. You have to do the right job or everyone's data is in danger. That it's an "18+" datum used for audit doesn't diminish user privacy concerns, or the value of a breach, IMHO.

Re:Network Isolation

[History's+Coming+To]

I pretty much agree with everything above.

Thanks for coming back with something constructive and thoughtful on top of the snarky comment I thought the previous one might be. I'll give you a little context:

I'm mid 30s and have been self employed as a web programmer* for a year now. My main client (a pub/bar sompany) is a previous enployer from over a decade ago, and they've never, ever been into the idea of the internet and having a presence. I'm self-taught from the age of 8.

So now your alarm bells are ringing and you're wondering what the hell I'm doing as a sys-admin (I use the term loosely). Don't Panic. My whole point is that I'm well aware of my abilities - or more importantly the lack of. No, I can't set up a brilliant webserver from scratch, that's why I pay a modest amount every month to an excellent hosting company. So now I just have to worry about my coding ability. I know that it may fail me at some point, so I look very carefully at when I'm "hacking" and when I'm out of my depth - I've done some creative stuff that I'm very proud of, but when it comes to the security of my host's hardware and the privacy of my client's customers there's no messing about. If I'm not up to the job then I look for the best free managed option, or the best commercial option within the budget of the client, and if I can't then it doesn't happen.

Don't get me wrong, I'm no means an expert by a very long way (the closest I've been is shaking Knuth's hand), but I've got the important bit: realise your own limitations and the importance of what you're doing.

I wouldn't apply for a job with you anyway. I'd apply for work experience. My original point counts though, "make the right amount of effort".

Re:Network Isolation

[History's+Coming+To]

Ha, forgotten asterisk. I know, I know, of such things are segfaults made.

* Web programmer: I'm not a "web designer", that seems to be people who can use photoshop and wordpress these days. My main tool is customised gedit, plus GIMP and Blender locally, working on LAMP stacks. Web programmer is the simple way to put what I do to a non-geek, I realise I'm probably offending a bunch of real web programmers here.

Re:Network Isolation

[postbigbang]

The "right amount" is a nebulous description based on who's context you're speaking from. At about double your age, I've seen systems taken town in front of my eyes, seen incredibly novel attacks and take-downs, and have watched other systems pounded 24/7 until they should have been bleeding on the floor, but they did their job.

Sometimes, you'll find that nothing is foolproof, because fools are so ingenious. That's why diligence counts and efficiency is sometimes sloth or worse: whistling in the dark. Locks keep your friends out-- but your enemies have pick tools. Aphorisms aside, understanding the value of assets, and how assets can turn into enormous liabilities when they shift to the other side of the balance sheet can give you the paranoia needed to sleep at night, strange as that sounds.

It's not needless calvinistic diligence, rather, the best you can because you're trusted, no matter the price paid-- it was accepted within that constraint. Most of my world lives off LAMP stacks and variants, although the components used today are rapidly changing. I use interns; some succeed, others need a different career. I don't use fear as a motivator, rather the sense of responsibility for care of assets not my own. Sounds altruistic, but I also expect the same trust from my vendors; some earn and keep it, some have let me down.

Re:Network Isolation

[History's+Coming+To]

the best you can because you're trusted

I'm taking that as the central message here.

Re:Network Isolation

[postbigbang]

It's why I had to react.

Re:NETWORK ISOLATION

[tehcyder]

Have you tried telling nigger jokes?

Sure everybody will mod them down to prove how PC and not-racist they are. If anybody is looking they might act offended. But they'll laugh.

Yes, if they're racists.

Yet another reason to use a variety of passwords

[txoof]

And once again we are reminded that using the same password on every site is a terrible idea for just this reason. I know I'm guilty of recycling a generic password on sites I don't care about, but I fear that my family members are even worse. I'd say there's an 80% chance that my family recycles the same password on both social and banking sites.

It doesn't help that many password validation routines choke on spaces. Being able to use a passphrase is way easier than trying to remember some random group of characters that just happen to have a high entropy. The Correct Horse Battery Staple model is my new favorite for any site that will accept spaces. Sadly, one bank that I have done business with won't even allow a password that is more than 8 characters and only accepts letters and numbers. They try to shore this up with some bogus security questions on the following page, but I don't feel really "secure."

What other password strategies do you all use to make sure you keep reasonably secure? I eventually gave in to using KeePass to keep my less frequently but more important passwords secure.

Re:Yet another reason to use a variety of password

[Theophany]

Whilst I agree with all of the above, I think the *real* takeaway from this should be "don't use shitty websites like Formspring, for fuck's sake."

Re:Yet another reason to use a variety of password

[firex726]

Personally I much prefer serves like pwdhash.

Remember one base password across all sites and it'll convert it into a hash for you, so even if you have a key-logger installed it'll only record the base, and not the hashed one.

I think I figured it out.

[InvisibleClergy]

I know it's a Q&A site, but ForumSpring Engineers really shouldn't have answered the question, "How do I hack the ForumSpring servers?"

Re:I think I figured it out.

[Rogerborg]

ForumSpring Engineers really shouldn't have answered the question, "How do I hack the ForumSpring servers?"

Heh, I refer you to A Logic Named Joe. It predicted the personal computer, the internet, search engines, and the real uses which most people would find for them. In 1946. Nineteen. Forty. Six.

Re:I think I figured it out.

[InvisibleClergy]

Oh, shiny, time to read.

Re:Yet another reason to use a variety of password

[kav2k]

So, if I understand the idea correctly, once the keylogger has the base password, all derived passwords are screwed? It protects against hash/unencrypted password leaks, but makes the base password too valuable.

Bad configuration management

It sounds like bad configuration management. I'm guessing the database passwords are the same for the dev servers as they are for the production servers. Bad, bad, bad...

Re:Yet another reason to use a variety of password

[Calos]

Yep, I love pwdhash. It's portable without worrying about leaving a password database on a thumbdrive or in the cloud, it can generate long, site-unique passwords while using the same base password. Pwdhash is pretty nice in that it is sensitive to stupid websites that don't allow special characters, too - if you put a special in the password you supply, it very likely (but not necessarily) include one in the password it generates. If you don't put specials in the user-supplied portion, the output is just alphanumeric. Of course, there are still the stupid websites that want passwords to be 12 characters or less, and/or have to start with a letter, and/or other asinine rules. A downside though is that there is a maximum length for the passwords pwdhash generates, 22 chars if I remember correctly, but at this point, I don't think that's really an issue.

Still don't recommend actually using the same base password for everything, of course.

The other cool thing about pwdhash (and potentially, similar services too) is that they don't have to be used on websites. You can use it to generate passwords for, say, your wireless. Do something like the SSID in place of the website, then supply your part of the password.

Pwdhash

Re:Yet another reason to use a variety of password

[vlm]

I know I'm guilty of recycling a generic password on sites I don't care about, but I fear that my family members are even worse. I'd say there's an 80% chance that my family recycles the same password on both social and banking sites

I have one password for each class of security. Ultra critical life savings depends on it has one which is only used on two sites anyway. Then there's /. and sites like it which has another "I can't lose money, but I'd be pissed if someone stole my account" password. Finally "I can't believe these morons force me to create an account for their cruddy site F those idiots the password for moron sites is password123"

I believe that websites that demand account creation when there is no need to create an account, like to order stuff, or view pages, are a social disease that should be stamped out. Aggressively if necessary. Not because one POS automotive parts site demanding I "create an account" just to make a single item purchase one time in my life is inherently evil, but because making a billion people make hundreds of accounts each, many of which will be stolen IS evil. This is no different than the argument where "if I occasionally accidentally dump out a little used motor oil its no big deal, but if the whole planet dumped all their used oil, it would be a freaking disaster"

Re:Yet another reason to use a variety of password

I hav signed up to 280 websites, about 20% I still use, so around 60 websites. Do you think I am really going to use 60 different passwords?

Re:Yet another reason to use a variety of password

[tapspace]

All of my banking passwords are the weakest ones. Most of the banking sites will not allow a full alphabet of special characters (American Express only has something like 6 different special characters you can use). I'm like WTF, is this a banking site or not?

Re:Yet another reason to use a variety of password

[tapspace]

Hey me too! Except at the top level (e.g. banking, email), every site has a unique password. At the lowest level, all the forums and miscellany have the same password.

Re:Yet another reason to use a variety of password

[Tridus]

People need more useful advice then this, because "use different passwords everywhere" is so impractical for most of the public that it's ignored.

More and more I don't think smaller websites like this should even store passwords. Use external authentication providers like Facebook or Google accounts instead. We've seen too many cases where companies that aren't huge don't have security that can stand up, and given budget they never really will.

Could have been worse

[randomErr]

At least its hashes and not a clear text file like a certain video game system we all know and love.

The immediate question:

[skorange]

Were the hashes created with salt, randomized per user? It sounds like they were, which of course is in contrast to the LinkedIn breach.

Re:The immediate question:

[Gavin+Scott]

The linked SecurityWeek articles includes the quote:

“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security."

Which suggests that they were indeed salting the passwords. Assuming this was actually done, and done in a reasonable manner, then in theory there should actually be little or no risk from this breach I would think. But then I don't know why they would feel the need to immediately replace their hashing mechanism...

G.

Re:The immediate question:

SHA1 is not sufficiently computationally intensive this days. Blowfish is much better.

Re:The immediate question:

[mmajor]

Salting just defends against precomputed hashes (rainbow tables). Using a slower algorithm such as bcrypt defends against brute force attacks.

Case in point: I cranked through LinkIn's 6+ million SHA hashes using a dictionary of around ~20 million words (not counting JtR's manipulation rules). The total runtime was maybe half an hour. Using bcrypt makes brute force attacks much less practical. It's also good practice to iterate your hashing algorithm, each time feeding the resultant hash as input. Running sha256sum tens of thousands of times is a lot slower than running it once.

Re:The immediate question:

The statement is alarming because it sounds like someone who does not know anything about crypto at all. Good job on the sha-256 with random salts, well done but then to point to tool vendors is nonsense. It is like saying "from 32-bit computing to Intel and nVidia".

Re:The immediate question:

[ladadadada]

The parent mentioned SHA-256, not SHA-1. Your comment is true and would still be true of SHA-256.

If by "Blowfish" you actually meant "bcrypt", then yes. Blowfish is not a hashing algorithm.

Learn to spell

They didn't "shutdown" the service. They "shut down" the service.

Spelling and grammar matter. Illiteracy is for boobs.

Re:Learn to spell

Mmmmmmmmm boobs

Unable to remove account.

Some time ago I tried to remove my formspring account, but I could not. Online help says "use settings->disable", which leaves my account in "disabled" state. And apparently, my password is still kept. Now, they say "but we leaked your password". I went to the site, logged in, and then it said "please change your password". So apparently they still know my personal data, and even after the leak, I STILL cannot remove it.

That is utterly stupid. They should burn in hell.

Am I crazy?

[undefinedreference]

Maybe I'm oldschool, but I seem to remember these configurations being really common in production environments when I was a young programmer:

• Java-based website: INTERNET [firewall forwarding ports 80 and/or 443] WEB SERVER(s) [firewall forwarding port 8080] APPLICATION SERVER(s) [firewall forwarding ports for users to access production RDBMS] DATABASE SERVER(s)
• Light PHP/Perl/Python/etc script-based website: INTERNET [firewall forwarding ports 80 and/or 443] WEB SERVER(s) [firewall forwarding ports for users to access production RDBMS] DATABASE SERVER(s)
• Hybrid script-based website: INTERNET [firewall forwarding ports 80 and/or 443] STATIC WEB SERVER(s)/CACHING FRONTEND WEB SERVER(s) [may have firewall for added security (same ports as above firewall), but not required] DYNAMIC WEB SERVER(s) [firewall forwarding ports for users to access production RDBMS] DATABASE SERVER(s)

Many also had layers of load balancers that were grouped with the web servers, or sometimes with firewalls between the two.

In the development environment you can have the same configuration, with each layer accessible as necessary. Average internal users access at most the network the web servers are on. Developers will have access to all but the database (which is still behind the innermost firewall). DBAs will have access to the network beyond the innermost firewall. The cracker might get into the front end web servers/caching servers, from which they could crack the outermost firewall to allow easier access, but to get through the next requires exploiting another/different bug to get into these servers before they can crack and reconfigure that firewall. Then a quality DBA won't allow any direct access to your users tables from any user that can access the database through the firewall (which will be compromised if the next layer above is compromised), restricting it exclusively to stored procedures that insert, validate, or delete user records (You cannot simply dump the users table(s). A DBA worth his salary should have wrapped everything even slightly sensitive in stored procedures and disallowed direct access to the tables to the users, in fact.) Even the internal company network should only access the database though the innermost firewall (and that network should have no access to internet-facing production servers or the application servers).

As mentioned above, production data should never be used for development database servers (except when specific data is isolated that results in errors, then that alone should be moved into development for debugging).

There's no excuse for the theft of production data to anything short of a rouge DBA and/or physical security failures.

Re:Yet another reason to use a variety of password

[Bigbutt]

The best part about the security questions is the answers are easy to find (in general). What's your mother's maiden name, where were you born, etc are many times easily available. When I have to use those, I pick something totally different from the true answer. Then it doesn't matter which security question I have. I do record them in my password database though :)

[John]

Re:Yet another reason to use a variety of password

[Bigbutt]

The "identity sites" have different password model vs a same password. They are associated with me and my information. It would blow if my account started spamming 5 or 6 forums that I use.

[John]

Re:Yet another reason to use a variety of password

[Bigbutt]

Sure, why not. Most of the time they're saved in your browser password keeper anyway. I have a similar number of accounts with different levels of passwords. For the 200 or so that I don't go to often, I just check my password database. Not a big deal. I periodically roam through the browser db to make sure I have all mine in the pwdb up to date.

[John]

Keepass

[ThatsNotPudding]

I use Keepass and love it but, given that I use the generate function for passwords, I am now totally dependent on it - along with relying on the browsers to remember the more common non-banking passwords. Given that even my backups are at the same site (home), I really need to finally get a bank deposit box, but I balk at yet another bill.

Re:Yet another reason to use a variety of password

The dropbox guys made a password strength tool based on that comic (see http://tech.dropbox.com/?p=165).

There is a demo (though it is very raw and not for end users) here: http://dl.dropbox.com/u/209/zxcvbn/test/index.html

at least my 3 common passwords (I share them for "low security risk" sites) score a 4 on it

Is this publicity?

Because I for one had never heard of this site before now. Just went to the website to see what it was about and for the life of me I can't figure out its use. So you post opinions about stuff? Is that like Twitter but without the character limit? Or a blog post but not as hard (and you can spunk one out on your cellphone instead of having to actually compose your thoughts and form paragraphs)?

If publicizing the hack was to draw some attention to their name, then they've succeeded.

Re:Yet another reason to use a variety of password

fCb1234, aMz1234, cMs1234, pBb1234, and so on. Last four digits are the same but the first three (and sometimes four) letters are different. First letters relate to the website it belongs to, and the last digits are random. Hasn't failed me yet.

For the love of god

[Galestar]

Start using OpenID

It's not just passwords

We all tend to get focussed on the publicly release data, but this is just a proof point. Chances are high that much more information is being bought and sold from this breach right now. We'll all debate salted, hashing, protocols and forget just how much was information was included in plain text.

Seeing all the leaks everyday on Should I Change My Password, we've still got a long long way to go. We see thousands of records everyday, with levels of detail that are un-nerving sometimes.

Re:Yet another reason to use a variety of password

Added that algorithm to my cracker. Thanks!

Re:Yet another reason to use a variety of password

[DMUTPeregrine]

Once the keylogger is on your machine, all passwords are screwed anyway. As is your CC#, billing address, name, CCV2 code, etc.

Re:Yet another reason to use a variety of password

[jones_supa]

Hasn't failed me yet.

Except now when you told publicly everyone about it.

Re:Yet another reason to use a variety of password

[jones_supa]

In Finland (probably in many other nearby countries too), for banks it's customary to get a printed sheet of one-time tokens mailed at home. There is usually also an extra verification step when you are about to perform some action such as making a transfer.