Page 4 of 30

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by BlahBlah_Archive
More importantly, if you were using the same password anywhere else with the same e-mail/details then you should also change it there.

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by BlahBlah_Archive
Jodi S. wrote:I have a question about passwords in general.If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also? This might just be the incident that has me kill off my old email address for good.No. Password storage generally works by storing a hashed version of the password, i.e. one that has been run through some cryptographic hash function. There are a bunch of factors that go into the creation/decision of these algorithms but one of them is that similar input shouldn't map to similar output, so JodiPassword1 and JodiPassword2 will be stored in the database with completely different values and it should be impossible to relate the two by looking at the hashes. Attacks on the encrypted passwords are usually carried out using a very large pre-computed table of the hashes of various passwords. Each of these values can then be searched in the DB and then for matching users their password is known. So actually if there is an extremely dedicated attacker who wants to access your accounts on other sites and knows matching details then they *may* be able to get your Electrical PW and manually guess the other parts but if your other passwords aren't as simple as 1 then this is extremely unlikely. It's all just going to be automated scripts trying out these things anyway.Also, thanks Russ!(and, yes, to pedantic people: salts to prevent rainbow table attacks, etc, and there's so much more to talk about. I imagine this site doesn't store salted+hashed passwords since I think phpBB2 didn't do that. Some interesting things to discuss in the comp sci thread maybe!)

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by BlahBlah_Archive
Jodi S. wrote:I have a question about passwords in general.If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also? This might just be the incident that has me kill off my old email address for good.No. Password storage generally works by storing a hashed version of the password, i.e. one that has been run through some cryptographic hash function. There are a bunch of factors that go into the creation/decision of these algorithms but one of them is that similar input shouldn't map to similar output, so JodiPassword1 and JodiPassword2 will be stored in the database with completely different values and it should be impossible to relate the two by looking at the hashes. Attacks on the encrypted passwords are usually carried out using a very large pre-computed table of the hashes of various passwords. Each of these values can then be searched in the DB and then for matching users their password is known. So actually if there is an extremely dedicated attacker who wants to access your accounts on other sites and knows matching details then they *may* be able to get your Electrical PW and manually guess the other parts but if your other passwords aren't as simple as 1 then this is extremely unlikely. It's all just going to be automated scripts trying out these things anyway.Also, thanks Russ!(and, yes, to pedantic people: salts to prevent rainbow table attacks, etc, and there's so much more to talk about. I imagine this site doesn't store salted+hashed passwords since I think phpBB2 didn't do that. Some interesting things to discuss in the comp sci thread maybe!)

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by BlahBlah_Archive
Jodi S. wrote:I have a question about passwords in general.If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also? This might just be the incident that has me kill off my old email address for good.No. Password storage generally works by storing a hashed version of the password, i.e. one that has been run through some cryptographic hash function. There are a bunch of factors that go into the creation/decision of these algorithms but one of them is that similar input shouldn't map to similar output, so JodiPassword1 and JodiPassword2 will be stored in the database with completely different values and it should be impossible to relate the two by looking at the hashes. Attacks on the encrypted passwords are usually carried out using a very large pre-computed table of the hashes of various passwords. Each of these values can then be searched in the DB and then for matching users their password is known. So actually if there is an extremely dedicated attacker who wants to access your accounts on other sites and knows matching details then they *may* be able to get your Electrical PW and manually guess the other parts but if your other passwords aren't as simple as 1 then this is extremely unlikely. It's all just going to be automated scripts trying out these things anyway.Also, thanks Russ!(and, yes, to pedantic people: salts to prevent rainbow table attacks, etc, and there's so much more to talk about. I imagine this site doesn't store salted+hashed passwords since I think phpBB2 didn't do that. Some interesting things to discuss in the comp sci thread maybe!)

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by BlahBlah_Archive
Jodi S. wrote:I have a question about passwords in general.If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also? This might just be the incident that has me kill off my old email address for good.No. Password storage generally works by storing a hashed version of the password, i.e. one that has been run through some cryptographic hash function. There are a bunch of factors that go into the creation/decision of these algorithms but one of them is that similar input shouldn't map to similar output, so JodiPassword1 and JodiPassword2 will be stored in the database with completely different values and it should be impossible to relate the two by looking at the hashes. Attacks on the encrypted passwords are usually carried out using a very large pre-computed table of the hashes of various passwords. Each of these values can then be searched in the DB and then for matching users their password is known. So actually if there is an extremely dedicated attacker who wants to access your accounts on other sites and knows matching details then they *may* be able to get your Electrical PW and manually guess the other parts but if your other passwords aren't as simple as 1 then this is extremely unlikely. It's all just going to be automated scripts trying out these things anyway.Also, thanks Russ!(and, yes, to pedantic people: salts to prevent rainbow table attacks, etc, and there's so much more to talk about. I imagine this site doesn't store salted+hashed passwords since I think phpBB2 didn't do that. Some interesting things to discuss in the comp sci thread maybe!)

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by tarblackvomit_Archive
Thanks, I changed it to "Password123".

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by tarblackvomit_Archive
Thanks, I changed it to "Password123".

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by tarblackvomit_Archive
Thanks, I changed it to "Password123".

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by tarblackvomit_Archive
Thanks, I changed it to "Password123".

CHANGE YOUR PASSWORD!!!

Posted: Mon Sep 30, 2013 7:00 pm
by tarblackvomit_Archive
Thanks, I changed it to "Password123".