Taylor Larimore wrote:Bogleheads:
I alerted Administrator, Larry Auton, who is a computer whiz. This was his reply:
This isn't really news to folks who do what we do. People should use strong passwords but they never will.
This particular case doesn't affect us directly.
Thank you, Larry.
Best wishes.
Taylor
Of course, even "strong" passwords aren't always so strong anymore, due in large part to leaks like this.
Passwords can be examined for patterns.
So let's say your password needs to include spaces, punctuation, and numbers.
My house is a big1!
There's a password that meets those criteria and is easy to remember.
- First letter is capitalized.
- Standard sentence structure is followed.
- Last character is punctuation.
- Number is at the end of a word.
If a password is going to be easy for a human brain to remember, it will follow a pattern. With billions of passwords available to analyze for patterns, you can brute-force that password dictionary first, then try the most probable password permutations next, and then start really brute-forcing it.
You can only really do a brute-force attack like that though if you have direct access to the encrypted data. If you're forced to go through an interface which has an automatic lockout after X failed attempts, you'd better be
very good at guessing.
There are still plenty of poor implementations out there though - some of the worst leaks were when someone broke through a server's perimeter defenses and found the usernames and passwords stored in plain text, entirely unencrypted.
Make the interface robust and resilient, encrypt the connection, and
properly encrypt the data stored on the server.
Then there's also the old-fashioned way to get in: "I was told to work on some kind of network slowdown, but they didn't give me the administrative login yet; I think there was a meeting somewhere that had everybody tied up. Do you have that?"
ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
Only if they're legally required, I'm sure.
Revealing something like that could cause a plunge in stock price, or risk losing customers, and that, unfortunately, greatly outweighs the perceived cost of leaving customers vulnerable.