List of compramised accounts

[arinlares]

first, here's the article. Apparently, a hacker in Texas collected this list of accounts, with passwords (the passwords aren't on the PDF), and released them on a public hacking forum to gain notoriety among it's members. An Australian ISP stumbled across the site looking for fraud sites, apparently. There are about 9600 names on the list.

[Dapper Dan]

Glad to see none of mine were on there. I really don't think about these things so I'm clueless as to how someone would get this info. Heck, it's all I can do to retrieve my password on accounts where I've forgotten it, much less tackle trying to discover it on an account out of the blue I've never had contact with.

[HROAdmin26]

Heck, it's all I can do to retrieve my password on accounts where I've forgotten it, much less tackle trying to discover it on an account out of the blue I've never had contact with.

That's a major source of easy accounts - how hard is it guess what your favorite color is and visit your MySpace page to find out what city you were born in?

[arinlares]

well, if you put it that way! actually, reading that article kinda made me wonder how he did it. unfortunately, i don't know much about internet security, besides making a strong password.

[Dapper Dan]

I suppose the more difficult you make your passwords, the more secure they are, but I've run into situations where I've made a password so secure I forgot it! I try to remember to write them down but sometimes "just know" I won't forget it and then do. The best passwords are long with a combination of numbers and upper and lower case letters. I change my passwords on a fairly regular basis unless it's for an Internet forum or something like that...

[GNU-Fan]

I think it is worth noting that the those large bunches of passwords are usually not gathered because they were too easy. It's not that were all "superman" or "123" ones.

What counts are the cases were large lists of unencrypted get "lost". Just look at the UK's state apparatus, which keeps losing approximately one medium with sensitive information per week in the Tube or a park.

I know a server hosting company whose admin made a backup of all server accounts by sending an email with a cleartext attachment to his private mail account. Too bad his home PC was running Windows and a trojan horse. Gotcha.

So, from my point of view, it is more important were and how the accounts are kept. I am not saying the choice of the actual password is unimportant, just that it might be irrelevant if entrusted to the wrong people (like most Web2.0 communities or governmental institutions ).

[elija]

Just look at the UK's state apparatus, which keeps losing approximately one medium with sensitive information per week in the Tube or a park.

In fairness to the UK Government, there hasn't been any news of this happening for a few weeks. So they are getting better at covering it up

[GNU-Fan]

Hello elija,

your definition of "a few weeks" may differ, but here's to you
Work and Pensions Secretary James Purnell leaves red box secrets on train - mirror.co.uk

You don't get rid of good ol' traditions over night.

[elija]

Well I get my news from Radio 4 - they haven't been talking about it and normally they go in to great detail... and at great length... I guess they have been too busy talking about Ross and Brand going on the Sachs Offenders Register

[Cabhan]

As a general note about password security, it's interesting that usually the greatest hole are the security questions. A password can be made fairly strong by ensuring a good mix of letters, numbers, and punctuation (and a good mix means one that is as random as possible), but security questions are generally very easy to find the answers to.

As has been said, the problem with random passwords is that they're easy to forget. But that's really what you need to do.

As far as leaking passwords, I've never been sure how exactly this happens. Passwords are never (or at least should never be) stored by the server as plaintext. Generally they are encrypted using a one-way hashing function, so that the original password is undeterminable from the hash.