[Discuss] KeePassX

Bill Horne bill at horne.net
Wed Jul 24 00:52:22 EDT 2013


On 7/24/2013 12:05 AM, Ben Eisenbraun wrote:
> On Tue, Jul 23, 2013 at 11:16:06PM -0400, Bill Horne wrote:
>> Since my password isn't in a dictionary, and doesn't contain any common
>> substitutions that would allow for guessing, I'm not concerned about the
>> breach.
> Dictionary attacks are kind of... passe. It's all password lists culled
> from the numerous other cracked sites and targeted brute force GPU
> cracking these days:
>
> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
>
> But your basic strategy works okay provided you never reuse a password,
> since you can't really ever know what the security on the other side of
> a web page you didn't write looks like. Ubuntu salted and hashed their
> passwords, but plenty of sites just store them in plaintext or use fast
> hashing schemes like MD5 which are quick to brute force with a GPU
> cracking tool.
>

Point taken.

My old password was just for "I don't care" sites, such as yahoo groups, 
where it wouldn't matter much if it /were/ hacked, since all anyone 
could do would be to post a message pretending to be me, to people who 
don't know me anyway.

However, the more I thought about it, and the places I'd used it, the 
more I hastened to get the passwords changed. We've all heard about the 
"Help! I got mugged on vacation!" scams, and although I'm ever-so-eager 
to find out which of my email contacts would rush to Western Union and 
wire thousands of dollars to <random foreign city>, I don't /have/ any 
email contacts on any of the sites I've used that password for - but I 
realized that they might have been auto-collecting address I sent things to.

The arms race continues.

Bill

-- 
Bill Horne
339-364-8487




More information about the Discuss mailing list