Slashdot Mirror
13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites
The Daily Dot reports that yesterday a "group claiming affiliation with the loose hacker collective Anonymous released a document containing approximately 13,000 username-and-password combinations along with credit card numbers and expiration dates." Most of the sites listed are distinctly NSFW, among other places, but the list includes some of the largest retailers, too, notably Amazon and Wal-Mart.
Last ones you needed 3D to really get into them, few have 3D sets. I have 3D and bored fast with my selections.
As indicated in the article, this is probably due to malware. The list of sites affected is large while the number of released account details is small. Malware usually doesn't even need to keylog anymore, it can just fetch passwords from the browser password store.
With this in mind, changing your password now will likely not have a major effect (unless you are on the list). Since most people don't have the malware, and those that do will probably still have it when they update their account. Just wait a bit until the anti-virus programs update to find the source, and change the passwords after it is removed.
The worst part about them being somewhat vague about which sites are compromised (amazon.com? .uk? .eu? .mars? .SetiAlphaV?) is i need to download the list now to check if my username, password and especially credit card number is on there and doing so potentially makes me a criminal. I'm not going to cancel my credit card on the off chance.
When this kind of things go down a news source should show ONLY the usernames so at least people have a hint that they need to cancel their credit cards.
But to be fair... What does Microsoft have that anyone wants? :)
But to be fair... What does Microsoft have that anyone wants? :)
Plans to the next Surface and Windows Phone releases.
How does this stunt make the world a better place? I just don't like online vigilantism. I also hate Guy Fawkes masks.
Most of the listed sites have far more than 13,000 registered users, so access to the member database of just ONE of the sites would have yielded a much larger dump.
Also, some of the sites store only a properly salted, modern hash of the password, so there's almost no way to get passwords from the sites' servers.
It's pretty clear the hack is in the client side. We may have a look to see of the logs go back far enough to tell us which browser version, OS, and toolbars or addons those members were using.
Source - I designed the authentication and authorization systems for some of those sites.
Relax... It is totally obvious that this was a malware dump to anyone who is not a technical journalist. :)
13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites
Replacing the word "and" with commas pointless, annoying.
systemd is Roko's Basilisk.
The list that was posted has apparently been removed (if you can get to the site, which seems to be under heavy traffic with people looking for it). Furthermore:
Malware explains the odd collection of websites, relatively small number of accounts, and supposedly-plaintext passwords. So anyone affected who changes their password will just have that new password picked up unless they've exorcised their computer.
And ya im pissed, i have had my debit card used 3 times in the last 2 years no don't tell me i should be using a CC i don't want to pay the extortion fees they charge not going to happen..
There are plenty of credit cards out there that have no annual fees. If you pay your bill on time and in full each month, you don't have to pay any interest or other kinds of fees. If you can't manage to remember to pay your bill on time, you can pre-pay your credit card. You might have other reasons to avoid the general advice of using credit cards over debit cards, but "extortion fees" isn't really a valid reason.
That is pocket change compared with the 38 millon Adobe users of last year or the 7 millon dropbox users last october.. Even Sony hack of the data of internal users were in those order of numbers.
I thought the first comment was more interesting than the article. http://fyre.it/5tjcfo.4
Instead of passing harsher laws, maybe we should require that you (and people like you) should be only allowed to use the internet under the supervision of a caretaker.
>> But to be fair... What does Microsoft have that anyone wants? :)
> Plans to the next Surface and Windows Phone releases.
Yes... if Anonymous obtained a complete technical readout of one of those devices, it is possible-- however unlikely-- that they might find a weakness and exploit it!
Don't steal passwords !
Ten commandments
With the majority of hacks coming from foreign countries, ones who either directly want this to happen or just reap the rewards of groups who operate on their soil, jacking up punishments will not do jack shit.
You know who would get sent up for 10 years? Some 16 year old kid on the autistic spectrum using his brother's save game on a multiplayer network so he can unlock a character that he doesn't have the timing to do. Said kid would get tried as an adult, and makes hundreds of thousands for local private prisons, but doesn't help anything overall. It won't do a single thing against the real bad guys, because they have quite a number of computers that are compromised (and likely easily purgable to hide tracks... a simple TRIM command like blkdiscard /dev/sda will zero all data immediately, and beyond even the NSA to recover.)
Want real security? The government needs to fund NIST into offering tools, proper security practices, separate networks that are not Internet connected, hardened code and operating systems for appliances (so there is assurance a firewall doesn't have a backdoor), and maybe offer some incentive for businesses to bother with security.
In a year's time, this Sony breach will be exactly like the PSN breach... pretty much forgotten. Businesses have learned that they might be on the spot for a few weeks, but that's it. There are no consequences for getting hacked whatsoever, as ID theft is an issue for clients and proles. The manta of "security has no ROI" is quite strong in a lot of companies.
Only real change to this is what was seen in this last Sony break-in where data was destroyed. Snarfing data is easy, and almost undetectable. Destroying it is a lot harder, but it seems to be the next thing the organizations are going after, as it does make a name for them, gives them street cred... and gives them customers.
Took me less then 5 minutes to figure out this is a click bait scam using collections of older password leaks and money for clicks URL referers. And the 'news' are eating it raw, generating fear and helping it spread. Which is exactly how this scam was designed to work.
Debit card is my money i don't want or need a CC that makes me dependent on someone else the problem is not credit. But that doesn't matter, that's not the main problem here. scum hackers, script kiddies, greedy corporations, and pussy politicians are. I should not have to worry about some jackass in another state or country using MY debit number and stealing MY money. And its time to make them pay and pay a heavy price that is MO. Oh i have another Idea, Photographs on all debit cards,credit cards.Yes it will make things more difficult, but it will make things more secure.
Jack of all trades,master of none
Dang, man, you're really worried - did you get one of the CCs that still charges you the first $50 for fraud? Might try one with a $0 fraud promise.
Or is it something worse? Did you use your real email address for that furry porn site, and now it might have leaked? Sucks to be you, man.
Socialism: a lie told by totalitarians and believed by fools.
Its not a security failure if they flood your network from the outside....You cant stop these attacks, only mitigate them.
Good-bye
Some of it is probably just stuff from simple phishing sites. People are dumb.
Don't put your shit on a computer. The damn things are not ready for prime time. Their use requires trust. We don't have that right now, and we might not ever have it. We could have it, but people are fucked up.
How would you be dependent? Just don't spend more money than you have and you get an interest free loan for the month + extra protection if someone steals it (because it's not your money!).
Not.
Just fuck over 13K people who've done neither you nor anyone else any harm why don't you, you sorry little teenage dickheads. True hackers used to have either a moral or a technological purpose. Now its just a bunch of children vying for bragging rights on 4chan and screw anyone who gets hurt.
To personally verify that these disgusting porn site accounts passwords work. Each and every one of them!
DataBreaches.Net is carrying an article saying that the leaks are nothing new.
http://www.databreaches.net/verifying-leaks-uncovers-fake-leaks/
"Posted by @Cyber_War_News to Pastebin today:
Today has been interesting, to say the least.
Skipping all the bullshit lets get right to the main stinky shit.
Anonymous twitter user @AnonymousGlobo announced earlier today this:
https://twitter.com/AnonymousGlobo/status/547426305151860736
https://twitter.com/AnonymousGlobo/status/548537460691857408
Now after working with data leaks for years now it became clearly obvious to me that this was fake. why?
because real leaks do not get combined, real leaks often have a common format, the targets attacked have accounts leaked daily from phishing and other simple methods."
[more snipped]
It's pretty clear the hack is in the client side.
The list of sites alone is clear enough on that, even if you know nothing about them. Someone just had a little lolz with the botnet he owns anyways. TFA advise is totally bogus: They don't post the list of sites to advise people to check their accounts, they do it because it's their excuse for posting a list of x-rated stuff on a non-x-rated site. Pure sensationalism.
We may have a look to see of the logs go back far enough to tell us which browser version, OS, and toolbars or addons those members were using.
Or which desktop dancing nude woman they installed, or old version of flash player they use, or any other of a thousand possible problems.
Most people don't realize just how many (usually windows) PCs out there are owned by hackers. When some botnet runs an attack, we don't realize because the numbers are so big its just a statistic.
Assorted stuff I do sometimes: Lemuria.org
I keep telling those idiots to put their godamn network above the sea level but they just won't listen!
Get free satoshi (Bitcoin) and Dogecoins
You can, given a budget that's a pettance for Microsoft, prevent the attackers from taking you down. The three aspects of security are CIA: Confidentiality, Integrity, and Availability. Giving up one of those aspects is silly.
Cloudflare and F5 provide excellent protections against even extremely large flooding-type attacks, and Prolexic also operates in this space.
And you decided to go with salted hashes instead of scrypt/bcrypt/etc. why?
There is stupid and then, there is aggressively stupid. There are only 3 reasons to use debit cards in preference to credit cards:
1. Lower pricing (ARCO gas stations).
2. Can't get a credit card because of bad or non-existent credit history.
3. Stupidity.
Which are you?
The real "Libtards" are the Libertarians!
4chan is over there --->>
Il n'y a pas de Planet B.
mush = much
sum = some
there = their
ya = yes
im = I'm
You're also missing a lot of capital letters especially when writing "i" and you're also lacking ponctuation everywhere.
According to my rules, you're now banned from posting comments on the Internet for 10 years.
Get free satoshi (Bitcoin) and Dogecoins
And what would the URL for that furry porn site be, by any chance?
I need to know, just so... eh, so I don't click on it by mistake. Yes, that's it.
Get free satoshi (Bitcoin) and Dogecoins
Dependent on credit and what would YOU do if you didn't have a CC? It would change your life a lot i bet.I am dependent on no one. You buy something with your CC then you wait till the end of the month to pay your bill. your bill isn't free it cost money to create,to keep a track of. i pay once and done. There is no argument you can make that will ever change my mind ever. And Someone pays for CC thift and that someone is You and me with much higher prices/taxes for everything. what i didn't see is some stupid asswhipe marked my comment and suggestion as a troll that is bullshit its not a troll.
Jack of all trades,master of none
why doesn't amazon support two-step authentication yet? it's ridiculous. my twitter account seems to have more security than the site I spend actual money on.
They say the mother of all fuckups are people who assume right? Worried? not at all. im not a criminal, i don't steal, i don't hack, so i don't have anything to worry about im not going to spend 1 day in jail. So if that means it sucks to be me, guilty as charged. Not that i have to tell you, but no i never have paid for or joined a porn site why pay for stuff ya can get for free and don't have to steal? You got a 2 and i was marked as a troll??lol go figure.
Jack of all trades,master of none
And very selective? I call bullshit.
I bet only a few of the minor sites have been compromised, and other passwords are either made up or otherwise obtained (e.g. from malware, perhaps even collected by another group).
You must be a pleasant person to talk to in meatspace...
Well i know which you are, a victim blamer, congrats and its no credit history and i life very well. You work in the credit market?/scum hacker? must have touched a open nerve with my comment . 2 things that a member here cant do. 1.stick up for children and 2. talk bad about scum hackers. ya get marked as a troll for your opinions. No one has the right to steal my money wither its using a debit card or a credit card or a check. Not my fault scum hackers had bad parenting and im not changing the way i live for cowards.
Jack of all trades,master of none
well if i pissed off a spelling nazi it was worth the troll vote. and sometimes a speling mushtake isnt.
Jack of all trades,master of none
Some debit cards will check for authorisation every single time you make a transaction (Visa Electron, Mastercard's Maestro) so that it is really impossible to overspend ever. Limitations are it doesn't work with a few stuff like highway tolls, or for a gas pump without a human cashier you need as much cash at the bank as what the max serving of gas or diesel fuel costs.
In my country they're typically given to kids, students etc. (it's a bit more costly to the banks and payment system companies because of all the checks going on, but costs the same or less as the regular lowest end debit card to the consumer)
Frauds? then tell the cops and your bank about it. Less easy to get your funds back but harder for you to fraudulently declare fraud.
Buy some expensive shit, then context the credit card fee, then collect your next pay check and run away to Mexico. Maybe it's ridiculous that I'm thinking about that scenario lol. In the US credit card culture, you have had other concerns like the store clerk, the restaurant etc. defrauding you (with the old tech like mag stripe and customer's signature). In a culture of debit cards with a chip, there's not so much a concern about the merchant defrauding/hacking you. It would be a very bad idea to fuck with these things lol.
Well i am a nice person have lots of friends. They are of the same opinion, scum hackers are cowards who pray on others and belong in jail. some don't agree with my CC opinion that,s life, cant agree with everything. That,s a good crowd of people to hang with. can bet none will stab ya in the back like a scum coward criminal would.
Jack of all trades,master of none
I use a CC with a low limit specifically for internet purchases, I repay it straight away so I pay zero interest/fees. Over the last couple of decades I have known several people who have had their DC/CC emptied by hackers, in every case the bank was quick to accept blame and take the financial hit. It's in the bank's interest to do so because (like banknotes) CCs work on trust, if nobody trusts them nobody will use them. Nobody has ever emptied my CC (other than the ex-wife) but on a couple of occasions I have had a phone call from the bank telling me that my CC was being replaced by the bank because "it was involved in a data breach".
Dependency: Of course the people who can't afford to keep their CC balance at zero end up paying for my peace of mind via increased interest rates. Ultimately CC's are an unfair burden on the "working poor" and become "just another bill" when they inevitably hit their limit (been there, done that). The sad fact is that if everyone at every point in their life could afford to keep the balance at zero nobody would pay interest and CCs would not exist.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
You do send the passwords to the servers though right (if not, and infected server could modify the web pages to do this)? Thus it could be server side, and just passively collecting the passwords as logins occur. Don't just assume client side just because a dump of the database wouldn't do it, unless you use something like SQRL or a browser based (not java script based) un-spoofable version of something like SRP.
The fact that technical users are willing to type passwords into regular fields to be sent off to the server unmodified, or consumed by unverified client side scripts amazes me. It's as bad as how credit cards work! Sharing your secret to prove who you are is archaic.
It's clearly something like phishing in this case though, but don't let that make you think you implementation is safe from server side attacks.
Hello friend! You seem confused. Slashdot does not have an exclusively American readership. People from other countries post and read these comments, too, and you've just called many million people outside the US "aggressively stupid" for using debit cards in preference to credit cards.
Plenty of other countries have embraced electronic transactions and made them work, in real time, without fees or surcharges or significant security risks. In my country, the majority of transactions are carried out via debit card. Here, it's possible for the average person with an average income to live without cash, without a pen, without debt (unless buying a house), and generally without worrying about where there money is going or how to get it there.
This sort of system might not be working in your country yet, but it isn't "stupid" to use this system in a country where it works properly.
I do this. 128 bit salt from openssl and 10,000 rounds of sha256, tested with a constant time comparator. How is a ready rolled solution better?
One should always salt passwords to avoid rainbow table attacks. Why do you suggest otherwise?
Currently secure hashing algorithms include bcrypt, PBKDF2, scrypt. Why do you conclude carlhaagen is not using those?
There is no group "Anonymous". It was just the handle given to people that didn't log in to 4chan. It's like Slashdot's "Anonymous Coward". Some of the 4chan users took to talking about themselves as if they were a group and the media picked up on this and ran with it. The media and random people began attributing characteristics to this imaginary group, like "hacktivism." and "lulz". But the reality is that there is no Anonymous at all. Anyone telling you the group has some particular aspect or characteristic is just trying to further their own narrative in some way or another.
Also, yes anyone who wears a Guy Fawkes mask is a complete tool -- helping write whatever narrative the media is trying to ascribe to "Anonymous".
Just don't spend more money than you have...
Easier said than done if you're always broke before the next payday. And no, that scenario doesn't automatically mean you're a lazy or that you squander your money. Quite the opposite, it generally means you work 60-80hr weeks in retail or some other minimum wage (or less) industry. When the shit-box car that takes you to work dies a CC is normally the only way it can be revived/replaced.
The vast majority of the "working poor" know it's a financial trap when they get the card, but sometimes in life deliberately walking into a trap is the best option you have, thankfully I haven't been in that position for over 20yrs now.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Instead of passing harsher laws, maybe we should require that you (and people like you) should be only allowed to use the internet under the supervision of a caretaker.
Of course, if you seriously advocate that people take responsibility for their networks, their equipment, and their decisions and realize the part they play in enabling the problems they complain about, you'll be accused of "blaming the victim".
Still, unlike the harsher laws that vary by jurisdiction (of which some have no extradition treaties), this actually stands a chance of working. On a hostile network like the Internet, nothing other than hardening the targets is going to actually improve security. It would also be nice for the rest of us not to have to contend with botnets and other problems made possible entirely by the clueless who want all the benefits of a general-purpose global network but don't want to put forth the effort to learn how it works and how to use it responsibly.
They strongly resemble the child who wants a pet cat but doesn't want to feed it and change its litter box because that part isn't fun.
It is a miracle that curiosity survives formal education. - Einstein
Time to take your medications, Stan.
s/carlhaagen/raymorris/
And Someone pays for CC thift and that someone is You and me with much higher prices/taxes for everything.
Taxes and store prices have nothing to do with CC theft, the money is recouped by the bank purely from the interest rates.
However what I think you are trying to say is that; - the "working poor" are the people who end up paying interest because they can't afford to keep the CC balance at zero, they can't "just say no" to the CC debt because they also can't afford not to fix the car that takes them to work.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
SHA is designed to be easily hardware accelerated (its a feature of SHA thats harmful here). Unless you are using dedicated SHA hardware, you are paying more time for the amount of security than you would with a memory hard hash like scrypt which is designed to run best on modern CPUs (and thus an attacker with exotic hardware options gains less advantage). scrypt and bcrypt also ease storage of salt, round count and result in a single blob making it simpler to use, and easy to adjust the number of rounds in the future as hardware improves.
When it comes to the question on how existing crypto primitives are better than my hand rolled solution, you usually screwed up. A constant time compare here completely useless. The ability to adjust the round count (and actually upping it as appropriate), and using a proper key derivation function with good performance properties are far more important. Given that the attacker in the timing attack does not know the salt, or the hash target, compare timing is useless (and impractical due to the time spend hashing being so large). At worst they could learn a few bits of the hash target if they already knew the salt, which could do a little harm, but how the heck could they learn the salt without also having a chance to get the hash target!?
Also, 10000 rounds is pretty low for sha256. Better than nothing (especially give your correct use of salting), but that may not even take a millisecond on decent hardware these days. I see examples of services using upwards of 100000 rounds of sha256 way back in 2011. The bitcoin network is ~300 peta-hashes a seconds (300,000,000 billion hashes per second). There is a lot of sha hashing hardware out there.
And all this assumes you are just sending passwords to the server, which while being standard practice (and pretty much the only practical option currently) is horribly stupid, but I won't blame you for that one.
Even if it turns out to've been a leaky client or something. It was dem haxxorz in dem intarwebz!
The plans you refer to will soon be back in our hands.
The cousin dooms our displayed shoulder inside its zone. The ward junks an ashcan beneath the custom incompetence. How will a frustrating household enter the ham?
Given that the attacker in the timing attack does not know the salt
You are so full of shit and buzzword bingoism here. The usual assumption is that the attacker learns the salt when they get the hashes (in a typical attack). It prevents you from having tables ready before you acquire the password db.
no that's not what i am saying. I am saying hackers are the problem,greedy corporations are at fault and last but not least Our elected officials. I don't expect anyone to use or not use a CC for the reasons i don't use them. You don't like my opinion, fine that's life but don't tell me its MY fault my money was stolen because i choose to use my debit cards.That,s just the same as blaming someone for getting mugged but hay its there fault they shouldn't have had cash on them right?
Jack of all trades,master of none
If you have the db, your attack is not even going to run the constant time compare code while doing your dictionary attacks. There are 2 attack scenarios: you steal the db, and attack that, or you attack the server without knowing the db. The server code and thus timing in only involved in one of these, the one in which you do not have the salt.
Also, the salt makes the attack on the db require a new table per password. Its far more significant than just not letting you prepare them before the attack.
Also, what in that particular clause you quoted is a buzzword? attack? salt? timing?
Also, "The usual assumption is that the attacker learns the salt when they get the hashes". Yes, that's exactly my point: the constant time compare is useless if that (accurate) assumption is true. So are you objecting to my claim by agreeing with it?
Anonymous seem to be becoming more and more pointless with each hack. Can someone explain to me what valid libertarian, socialist or anarchic objective this leak reaches for? There isn't a coherent point to this hack at all. It is meaningless and it risks doing real damage to ordinary civilians. For the "lulz" indeed. What, are these guys 12 years old?
Those are "key derivation functions" (KDF), not really "secure hashing algorithms" (different uses of one way functions). SHA is a fine secure hashing algorithms, but a crap key derivation function if you want to resist dictionary attacks. Its true they also sort-of work as "secure hashing algorithms", but they are a bad choice (slow, and secure hashing algorithms shouldn't involve salt: they are instead used with salt (the salting if used is part of the algorithm using the hash)) .
bcrypt, PBKDF2, scrypt are salt+hash algorithms (KDFs: They include the salt in the algorithm). We conclude he is not using them since he rolled his own (inferior) KDF. Its still quite good, but its not the best, and its more work and opportunity to screw up than using an off the self version like scrypt.
scum hackers are cowards who pray on others and belong in jail.
I know. I hate it when people pray on me.
As an atheist, it's so annoying.
At the same time, just praying on me, while it is rather anti-social (why do the religious types do that?), doesn't really rise to the level of crime in my book. Just sayin'.
Oops, it was someone else who mentioned they do "128 bit salt from openssl and 10,000 rounds of sha256", so maybe raymorris does better.
Both brypt and scrypt would PROBABLY work, especially bcrypt, but they're designed for a different use. What you want for password storage is confidence that if the bad guy gets F(plaintext,salt), (the hash) they can't derive the plaintext. It's a one-way trap door - you can compute the hash from the plaintext password, but not the other way around. You do not care about any aspects of the output, other than that it can't be used to infer the input (and that it has a guaranteed reasonable maximum length).
For a key derivation function, it's ALL about the output. You're trying to create output that has particular attributes, such as pseudo- random bits, long length, and bonus points if they length can be extended to go on forever.
Key derivation algorithms sometimes work okay as hashes (for password storage), but almost by accident. That's not what they're designed for. To achieve the very different goals of KDAs, they tend to be much more complex, and therefore much more likely to contain subtle undiscovered weaknesses. I'd rather use something designed for the job at hand. I wouldn't, however, say someone is WRONG to use bcrypt for the purpose. If a student turned in a project that used bcrypt for password storage, I wouldn't mark down their grade. It's just not my personal preference.
where can i view the list of the passwords released today so i can see if im on there
I don't get it. Were you being ironic when you misspelled "ponctuation"?
Or are you just an idiot?
If you are going to do your own round counts, there are better ways to make it so you can't use hardware to attack your system. One trivial way with hashes is to xor the 1st byte with 0xaa on the 12th round. That alone means anyone building hardware or a GPU approach needs to take that odd step into account and that should about double the work needed by a GPU using today's techniques for optimisation. Another thing that works is to use a different table. For example MD5 uses an internal table that is something like 256*sine((0..255)/256.0). A simple swap of two bytes somewhere in the table means it is incompatible with off the shelf solutions and should be the same strength. There is a risk that doing this will cryptographically weaken the hash. For example if you use the XOR trick too early or too often in the rounds, you end up forcing bits to a known state and that makes it much weaker much like messing with S-boxes in DES does and for the same reasons. Moving around values in large tables tends to be safe as does some conditional byte manipulation in later rounds assuming you are doing more than the standard count. A great way to find out what doesn't work is write a md5 like function with 32 bits and just a few rounds. That can show lots of tweaks are very bad ideas.
I wouldn't, however, say someone is WRONG to use bcrypt for the purpose.
It's more widely used this way than you think. For example BSD uses it for the default password hash. The PHP password_hash function also defaults to using bcrypt nowadays.
I am aware of that. PHP's password_hash is kind of stupid, not really a good example of best practices for secure systems. Given that PHP was designed for non-programmers, though it _might_ be a net benefit, if people use password_hash rather than plaintext or MySQL PASSWORD().
http://www.databreaches.net/verifying-leaks-uncovers-fake-leaks/
You may have bad credit history and there may be a story behind that. However, you were the one who posted:
Now I am not going to blame you for not getting a credit card if you can't get one because of bad history, but I am going to call you out on the claim that you won't get a credit card because of "extortion fees". It was your claim that the fees were your reason to not get a card, not mine.
Dependent on credit
You are answering "what", not "how". How would I be dependent on someone or something else just by using a credit card instead of a debit card?
and what would YOU do if you didn't have a CC?
Probably the exact same thing you would do if you didn't have your debit card.
There is no argument you can make that will ever change my mind ever
I'm not trying to change your mind, I am trying to get you to explain yourself in a manner that could possibly change my mind.
what i didn't see is some stupid asswhipe marked my comment and suggestion as a troll that is bullshit its not a troll.
Your posts are incomprehensible gibberish. Baring mental retardation or English-as-a-Second-Language, troll is absolutely a valid mod.
Can't it be both?
Get free satoshi (Bitcoin) and Dogecoins
If I didn't have a credit card I guess I'd use a debit card or go to the bank to take out cash. It would be more of a hassle, but those are the alternatives. It's true I do have to pay my bill every month - takes about 5 minutes to login to the website, review the month's purchases, and click "pay bill". I could have it automatically pay (sort of like a debit card), but I like to see what I spent money on the most over the month. Not really a cost.
I also get 1-3% cash back so the higher prices that everyone pays get to me in the form of a check every few months.
They should change the law so interest can't exceed let's say 13% APR/APY/whatever. And even lower interest rates on any credit card debt exceeding $10k.
I can understand short-term loans having about 1% per month interest. But when you're borrowing lot's of money, it really shouldn't be that high.
Well $SUBJECT says it all, really.
Over here most places don't accept credit cards, due to the (transaction) costs. Hotels (most due to the possibility of visitors from outside the EU) and restaurants (many but not all) will except CC, but any normal store and you are out of luck. They will work in ATMs but there is AFAIK a high cost to withdraw money compared to 0 for EU debit/bank cards.
It's much more common to hash or bcrypt the password client side (in javascript) before POST-ing it nowadays, so it could hardly be server side. The only way to collect password then would be to man-in-the-middle the login form somehow, and for that to work with SSL you need server's private key.
I had to take another look because I remembered I had decided it was silly, but I didn't remember WHY I decided it was silly. I just took another quick glance, and noticed two things. There may be another, larger, issue I noticed last time and didn't notice this time. The two I noticed this time are language silliness, rather than security silliness.
First, it's the same as crypt($p,makesalt($alg)). Redundant language bloat. PHP has more duplicate functions than C has functions in total. In Perl, C, C++, PHP itself, and just about every other language you call it as crypt(). Essentially they've just renamed an existing well-known system call, obscuring what it really is.
Second, it takes an "algorithm " parameter, which has exactly one legal value, bcrypt. That's pointless. It should at least accept SHA256 in that parameter as well. It's not like it require any significant addition to the code - it just being passed to crypt() anyway.
And you decided to go with salted hashes instead of scrypt/bcrypt/etc
And you decided that scrypt/bcrypt/etc aren't a salted hash why?
You created a 10,000X increase in the work factor for brute force attacks.
If you had just hashed over the salt and password once, encrypted the result and kept the key private, you would have a 340282366920938463463374607431768211456 increase in the work factor.
Relying on low integer multiples of work factors seems like a poor solution to me.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
As it happens, I'm trying to make a good KDA right now at work, for very specific interpretations of the word 'good'.
I may be done in a year or two.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Interesting. That must be quite challenging. Good luck with it.
Er, not really? You want a well-optimized function to turn a password into a very big unpredictable number in a way that's computationally complex, and that's precisely what KDFs are made to do. The entire crux of your argument against such use seems to boil down to "but they sometimes let you specify how big a number you want", as if this added complexity and risk somehow massively outweighed that created by rolling your own slow crappy little alternative.
> really? You want a well-optimized function to turn a password into a very big unpredictable number in a way that's computationally complex
You want the hash algorithm to be SLOW, not "well optimized"
You don't care about turning it into an unpredictable number.
You don't want it to be computationally complex. In fact you sometimes enforce O(1) time, you don't want a longer or different password to take longer to hash, because that facilitates timing attacks.
"Rolling your own slow, crappy"? Like I mentioned before, yes it should be slow, but no, SHA256 isn't my own. I'm known for applied security, not the heavy math of the primitive algorithms.
> Why is a KDF like PBKDF2, bcrypt or scrypt, a poorer option for password storage than rolling your own?
Rolling your own is stupid. I never said using a good KDF was worse than rolling your own algorithm of unknown quality and unknown behavior.
In fact, I said bcrypt specifically is acceptable, that I wouldn't take points off your grade for using bcrypt. A better choice is a properly vetted hash that's designed as a hash, such as SHA256. Using a KDF as a hash is like using a butter knife as a screwdriver - it gets the job done, and professionals normally use the tool designed for the job rather than substituting.