*urgent* anyone else heard about the password leak?
 

Just had a text from a work mate telling me to change all passwords if they are the same as my hotmail one ASAP. Apparetly there has been a set of documents leaked which contain all usernames and passwords for hotmail. Not sure what to make of it tbh, anyone else heard anything?

Re: *urgent* anyone else heard about the password leak?
 

doubt they store the password as cleartext in their DB, usualy it will be hashed

Re: *urgent* anyone else heard about the password leak?
 

this bloke is a pretty big geek, he's always talking about the side of PC's I know nothing about. You echo my initial reaction but then again other than OS based software I know nothing about a computer.

Re: *urgent* anyone else heard about the password leak?
 

I change my passwords for everything every other month anyway. Because I've been the victim of some serious ID theft and fraud, I got into the habit. Luckily I have a really good memory for things like this as I have no plan for passwords. I literally change them to use something that I can see, have seen or heard that day, something completely random and pick numbers off my lotto tickets at random to add to them. No-one would stand a chance of guessing any! The only one I don't change is the one for this forum as I don't see the point.

Re: *urgent* anyone else heard about the password leak?
 

Urban myth started by the actions of "Croll" against Twitter.

Nothing more than a social engineering exercise, which is why I refuse to refer to "Croll" with their self appointed name. :)

Re: *urgent* anyone else heard about the password leak?
 

bbarstewards.mn **** em all

Re: *urgent* anyone else heard about the password leak?
 

Well someone might get into my facebook, maybe log in on here as me and on to bikersoracle as me.

not much info about me on the winternet anyway :rave:

Re: *urgent* anyone else heard about the password leak?
 

thats all I could find anything about when i googled it, so im happy not to wrry... for now lol

Re: *urgent* anyone else heard about the password leak?
 

I discounted this as normally companies only store a hash of the password using something similar to sha1 encryption.

So, imagine my surprise when I read:

http://news.bbc.co.uk/1/hi/technology/8291268.stm

Re: *urgent* anyone else heard about the password leak?
 

Re: *urgent* anyone else heard about the password leak?
 

How do you change your hotmail password? Can't find it

Re: *urgent* anyone else heard about the password leak?
 

Post it on the forum - we'll change it for you!! :smt096

Re: *urgent* anyone else heard about the password leak?
 

ok it's 456keithdisablend789 ;)

No seriously, I can't find it :(

Re: *urgent* anyone else heard about the password leak?
 

it should say options on the page, reversing an encription on db is easy. so looks like they can log on to my hotmail account then there stuck there. every password is different and a pattern so they cant trace anything about my passwords else where.

Re: *urgent* anyone else heard about the password leak?
 

Not everyone uses the same methods to encrypt.

sha1 is pretty robust. I normally hash the password with another piece of data, then hash the hashed value for good measure.

Re: *urgent* anyone else heard about the password leak?
 

*waves hand* these are not the passwords you're looking for...

Re: *urgent* anyone else heard about the password leak?
 

Took too long to find, found a nice option called 'marketing preferences' : 'tick this box of you want microsoft to F off'

Re: *urgent* anyone else heard about the password leak?
 

the normal way is to hash the username & password together, well thats nix way from what i remember

i somtimes hash it with the IP address & session_id if i want a temporary password, many diffrent ways
passwords in DB are usualy not done with a master seed though, if you loose that then you are stuffed

Re: *urgent* anyone else heard about the password leak?
 

I think someone has gotten my org password, I keep seeing posts by me with useless information and rubbish jokes.

Re: *urgent* anyone else heard about the password leak?
 

naa, ive confirmed its you, sure you remember who you are :p

Re: *urgent* anyone else heard about the password leak?
 

[tech derail]


Yup, I hash using either username or email address. It's the one time on a website that I'll use javascript for "core" functionality as I don't want an unhashed pwd gonig back & forth between server & client.

You can't always rely on a client's browser maintaining 1 ip address for its session. Apps such as AOL seem to let the AOL browser use a roaming/floating ip address range - hence all the issues that you get with AOL users.

[/tech derail]

Re: *urgent* anyone else heard about the password leak?
 

This is true, but if you check for the proxy header, you should be able then able to change the hasing method. If all else fails, i usualy make it possable disable bind to ip.

Re: *urgent* anyone else heard about the password leak?
 

lol, Im sure it made perfect sense to you guys but that totally went over my head rofl.

Re: *urgent* anyone else heard about the password leak?
 

I'm Spiderman aren't I? :-P