Want to make your salt and pepper (you're using two strings, riiiiiight?) more effective when encoding passwords? Serve your site as XHTML5 (application/xhtml+xml) and when PHP's htmlspecialchars() function doesn't cut it get the hex code, determine the character used and ad it to your salt-and-pepper encoding of passwords. It's not difficult to wildly complicate the crap out of a hash encoding... think about it, how many times a day do people in real life over-complicate the crap out of something simple? This is when you're actually supposed to be abusive, enjoy it for once people!

John

Insisting on good security is a poor user experience?
I did a site audit for a company and noticed their password requirements were weak. They balked at requiring difficult to guess passwords and a minimum number of characters because they felt it was a poor user experience.

This had nothing to do with SEO but I felt it merited mentioning since getting hacked could be catastrophic to a business.

This is a pretty old breach. Hopefully people whose data was taken have done some routine password maintenance since 2012...

Nice, maybe I can find my pw now

The breach goes back to 2012, and it was thought that a much smaller number was stolen. However, this indicates it was a much bigger breach than first thought.

It's not just the fact that the same passwords may be used on others sites, but an e-mail address can give thieves pointers to other services, and, of course, help towards identity theft.

>> @JAB Creations how many times a day do people in real life over-complicate the crap out of something simple? This is when you're actually supposed to be abusive, enjoy it for once people!

No. Don;t do it, people. If you are NOT A BANK (of for god's sake, a .gov), don't overcomplicate passwords.

Making someone type lower/upper, two numbers and a symbol, and making someone change a password every month --- right there is a DEATH to your business. Nobody is going to remember your complicated passwords. Are you sure your business is THAT important?

>> @martinibuster: Insisting on good security is a poor user experience?

Yes, it is. If you are not a bank and don't store credit cards, extreme security is a kiss of death.

I have now to remember over 150 passwords. Have been doing business online for a lo-o-o-ong time. It is IMPOSSIBLE to remember 10, let alone 150. Now, try to remember which one's which and how each webmaster decided to restrict it.

Basically by now everyone should assume their email and passwords are wide open out there to be stolen. So use multiple. Use your private email and a strong password for financial info. Use throw-away, chit-chat email and whatever for everything else.

But for god's sake, dear webmasters, don't over-complicate passwords.

Yes, it is. If you are not a bank and don't store credit cards, extreme security is a kiss of death.

Agreed! This was for a company for which credit cards and security were essential.

a company for which credit cards and security were essential

I thought we were talking about LinkedIn? They sent the same mass mailing to everyone, including the people on free accounts that sure as ### never gave them any credit-card information.

I couldn't remember my LI password, and had to consult the Keychain, which managed to have four separate LinkedIn entries over the years. (I deleted them all, to avoid confusing myself in the future.) Surely That Other Platform has an equivalent storage system?

Forget going to change your linked-in password if you rarely use the service, the safer thing to do is close the account. If you insist on keeping it then make it an incredibly difficult one such as the salt key for a wordpress installation. You know where that salt is within your files and can copy paste it from there + you can make a mental note to change, say, the 4th character to a 6 after you paste it. Good luck cracking that even with a robust system.

2Wla{0(.h%mWk87",!m@Bj$bP-)=,Rm3&n^4 <---- much better than 'crackthis' or some such.

Just don't ever store the password in a built in password protector, crooks know to look there.

crooks know to look there

If someone breaks into my house, physically removes my computer and brings it to someone with the savvy to extract its administrator password,* I think my LinkedIn password will be pretty far down on my list of worries. But then, the only reason I've got a LI account at all is that you don't decline an invite from your 80-year-old father. Never use it for anything.


* In this neck of the woods, crooks aren't of a caliber to know how to do both.

Linked in made me change my password today...sounds legit.

I have now to remember over 150 passwords.

Why try? If you have that many passwords you can use a system, such as KeePass, to do it for you.

Yes, it's LinkedIn, but, don't miss the point that identity theft is worth a great deal, even if that includes an e-mail. Identity thieves are persistent, and know what to look for to build a profile, and they will find the weakest link. It's a complicated crime, with high rewards, but it can be done without physically breaking into anyone's property. It can be done from their bedroom.

Webmasters have a duty to protect their user's data, but it's often the user that can make it easier for the thieves with weak passwords.

>>such as KeePass

- Get a password manager
- use a complex password and two-factor authentication with it
- use it to generate long, random passwords
- never use the same password twice

That's just the basics for 2016. If everyone did just that, though, it would make these breaches way less serious.

Where the breach becomes a problem is when you use your LinkedIn password as your email password and they get in there and then start doing password resets for your bank account, which they now intercept and so on and so on.

What was strange to me was that LI sent the "change your password"
message to my LI account email addy AND to 4 _other_ email addy's
I have! At first that made it look a lot like a spam run.
They had no business knowing of or using those.
Jonesy

They constantly ask you if you want to connect this or that address book. If you've ever done that, they know that account and possibly your other accounts if they're linked... in... so to speak

True about that. But, I have NEVER rolled over and exposed my addressbook to
them. I do my email with alpine on a FreeBSD VPS -- using a wildcard email account.
However, a few "friends" have obviously done that as I have received invitations
to 'connect' on email addy's that are NEVER used with LinkedIn.
I'm sure it would be an easy task for LI to associate those email addys with my
account email, and that is probably what has happened. sigh...

typo correction due to sticky "T" key...

Jonesy, it could be a mobile version of LI that has connected those. It's one reason I dumped LI from my phone. I hate it when apps do that and automatically connect accounts and contacts! It takes ages, or is impossible trying to unravel it again.

@engine: Why try? If you have that many passwords you can use a system, such as KeePass, to do it for you.

I am using one, won't tell which one. It's inconvenient in regard that once you use it for a few months, you start forgetting passwords and stop being able to login yourself.

>> @ergophobe: Get a password manager use a complex password and two-factor authentication with it . use it to generate long, random passwords ... That's just the basics for 2016

Are you going to be using your one computer forever? What about: mobile, desktop, 5 laptops, office PCs, friend computers etc.etc. are you going to login to some remote password manager there? What about you PC crash and die , what's your contingency plan.

If you generate random encrypted passwords, I can guarantee you are going to lose access to some places. You are lucky if it isn't your strong password generator and email.

>> @Jonesy: I have NEVER rolled over and exposed my address book to them

Pleeease, folks. It's 2016. They can find ways to get to your address book. They can buy that, it can be stolen by a hack , virus or adware , or some "social" "plugin". etc.etc. If you have more than 3 friends you are in one of their social databases.

I have seen hackers trying to break into my server via dictionary attack using one of my throw-away passwords. I know they know it is mine, there's just no other way. So these "social" sites not only just leaked emails, they leak connections as well.

smilie - I'm definitely not going to answer those questions in a public forum, but all those problems are solvable and none of those worry me. And yes, I can get and have gotten locked out temporarily until able to go to my fallback. So I couldn't get into my email for a few hours. Big deal.

Is there inconvenience? Yep
Is it bombproof? Nope
If someone really wanted to hack me, could he? No doubt

My feeling is that it's like a gazelle on the Serengeti. You don't have to be fastest gazelle in the herd, you just have to be faster than the slowest ones. But sometimes the lion appears at just the right time and place to catch and eat the fastest gazelle in the herd.

I don't go crazy over the top in a way that causes huge inconvenience, but I try not to be the easiest catch in the herd.

Are you going to be using your one computer forever? What about: mobile, desktop, 5 laptops, office PCs, friend computers etc.etc. are you going to login to some remote password manager there? What about you PC crash and die , what's your contingency plan.

There are fairly secure ways could remotely access or backup password stores. These days it's probably more secure not to know most of your own passwords.

more secure not to know most of your own passwords.

The password always was and always will be a terrible means of authentication. It has long been a goal in security circles to find a way to turn back the clock and start over in a world without passwords. The problem is, especially in the case of weak passwords, it is convenient.

The stated goal (can't find the reference, but read this in the last week) that Intel has which motivates their True Key password manager is a three-step process

1. Get people to use a password manager
2. Once doing that, there is no advantage to a weak over strong password, so the next step is to get people to use long, complex, random passwords
3. Once they don't know and don't interact with the actual passwords, there is no advantage of passwords over other forms of authentication and you can actually rethink security intelligently.

But the first step is getting people to use a password manager.

True Key is supposedly aimed at the "app" problem where many password managers fail (i.e. authenticating you within applications other than browsers so you can truly manage all passwords).

True Key itself lets you sign in with facial recognition or fingerprint. Modern facial recognition systems require you to move around or make facial gestures so that someone can't present a high-res photo or, in a very highstakes world, cut off your head.

This doesn't lay out the plan as outlined above, but here's an official Intel statement

"Our goal is the elimination of passwords altogether," says Mark Hocking, a vice president with Intel Security.
-- [usatoday.com...]