ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Use a unique password for this site

<< < (4/6) > >>

Renegade:
SSL or not -- EVERY website you use, you need to use a unique password, so that if one site gets hacked, the bad guys don't learn your logins to other sites.
-mouser (March 06, 2015, 11:10 PM)
--- End quote ---

^ THIS!

I had one account compromised. It used a password that I used on 1 other site. Just 1 other site. 1.

Now, either the other site was malicious, or it was hacked as the site the compromised account was on knew that some accounts had been compromised, while others were not.

So, you can imagine how that all goes and how the hackers try brute forcing sites with known account IDs/passwords.

db90h:
Still I prefer SSL, LOL.

The idea of everything I type, even drafts, going straight to any server plaintexxt... Well, it bothers me.

DC is fine here since SMF is designed to operate w/o SSL by hashing the password on the client side. They don't use SSL on their own site.

However, it's not 'fine' as to where are in society today, so it's just something to think about as the site is refactored someday.

mouser:
Well, that's true, in part, but since one would HOPE that any modern server would store their passwords in hashed format, not plaintext. The purpose of the hash, as you know, is to prevent it from being reversed back to it's plaintext. Thus, if they get breached, they get no passwords.
--- End quote ---

That's a good point -- if a server is hacked and the server properly stored password hashes, your password is not instantly known.  However, with a list of password hashes, many passwords can be figured out.
Even if a hacked server wouldn't instantly expose your password -- let's remember that the hacked server, if not discovered immediately, could have new scripts run on it that would harvest passwords when you provide them to it.

Bottom line -- don't use the same password on different sites.  Use a password manager tool to help you create a nice long unique password for each site.

Personally I think SSL use on everything is overkill -- I prefer a more pragmatic approach: Never provide financial information on a connection that is not SSL -- but on simple non-critical website logins, I don't give it a second thought.  SSL is provided on DonationCoder using https (at non-trivial effort and expense I might add) as a courtesy to those who view it as important (even if I think it's overkill for most users).

[ps. i've removed the caps "WARNING" line from the subject of this thread since i think it would lead to confusion]

db90h:
Yea, rainbow tables are the term you are looking for ;). They are, again, hopefully, neutralized by appropriately salting the hashed password.

Certainly your operation is safe and warning caps removed in good reason.

A single password manager introduces a single point of failure, but is otherwise good advice.

The entirety of web traffic will be encrypted in time, whether it be via HTTP 5 or simple prudence.

Stoic Joker:
The entirety of web traffic will be encrypted in time, whether it be via HTTP 5 or simple prudence.
-db90h (March 07, 2015, 11:37 AM)
--- End quote ---

Why? It's a total waste processor time and effort, because privacy - as it is commonly understood - is currently and for the foreseeable future a complete myth. Sure as mouser stated above for banking and finance it is best to keep up the ruse and try to limit the number of bad people that wish to nose around in the affairs of others. But if the encryption that is to be used is not capable of keeping out all of the "bad people"...then it's really just a silly waste of time.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version