[Discuss] KeePassX
Bill Horne
bill at horne.net
Wed Jul 24 00:52:22 EDT 2013
On 7/24/2013 12:05 AM, Ben Eisenbraun wrote:
> On Tue, Jul 23, 2013 at 11:16:06PM -0400, Bill Horne wrote:
>> Since my password isn't in a dictionary, and doesn't contain any common
>> substitutions that would allow for guessing, I'm not concerned about the
>> breach.
> Dictionary attacks are kind of... passe. It's all password lists culled
> from the numerous other cracked sites and targeted brute force GPU
> cracking these days:
>
> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
>
> But your basic strategy works okay provided you never reuse a password,
> since you can't really ever know what the security on the other side of
> a web page you didn't write looks like. Ubuntu salted and hashed their
> passwords, but plenty of sites just store them in plaintext or use fast
> hashing schemes like MD5 which are quick to brute force with a GPU
> cracking tool.
>
Point taken.
My old password was just for "I don't care" sites, such as yahoo groups,
where it wouldn't matter much if it /were/ hacked, since all anyone
could do would be to post a message pretending to be me, to people who
don't know me anyway.
However, the more I thought about it, and the places I'd used it, the
more I hastened to get the passwords changed. We've all heard about the
"Help! I got mugged on vacation!" scams, and although I'm ever-so-eager
to find out which of my email contacts would rush to Western Union and
wire thousands of dollars to <random foreign city>, I don't /have/ any
email contacts on any of the sites I've used that password for - but I
realized that they might have been auto-collecting address I sent things to.
The arms race continues.
Bill
--
Bill Horne
339-364-8487
More information about the Discuss
mailing list