Aaaaaaaaand they're OFF! Encrypted (unsalted? unhashed?!) passwords are out of the gate, heading into the first turn toward potential decryption by cybercrooks. Anybody care to place bets on how many of those passwords are reused on other sites?
Guess how many times "123456" was used as a password by users. If you answered "close to 2 million times," you win! Now guess which online dating site service has decided to encrypt customer records using salting and hashing in future.
Following our popular article explaining what Adobe did wrong with its users' passwords, a number of readers asked us, "Why not publish an article showing the rest of us how to do it right?"
Here you are...
Blessed be Facebook for using this real-world example to 100% back up Naked Security when we proselytize about the evils of password reuse. And if you're worried that Facebook's mining of breached Adobe customer records and quarantining of users is Big Brother-ish, fear not: the company didn't have to store passwords in clear text or pull any other boneheaded security move to know just what its customers' reused passwords are.
Chet and Duck are here with their weekly roundup of news, opinion, advice and research.
Take a listen to our weekly 15-minute podcast on computer security - Chet Chat Episode 123.
Which pets make the best/worst passwords?
How many times did Google make the same coding blunder?
Find out this and more in our one-minute wrapup of the week's security lessons!
Learn how cryptanalysts think, and why cryptographers feel such terrible dismay when companies that really ought to know better make mammoth mistakes.
Paul Ducklin deconstructs the data leaked in Adobe's latest megabreach...
The crooks who pilfered Adobe's source code are likely the same ones who went on to exploit Adobe ColdFusion code to breach the PR Newswire press release service.
Who's "Paunch"? What happens when you arrest him? How do you win $100k from Microsoft? Could there really be a backdoor in Adobe's code?
Find out the answers in this week's episode!
A wild ride this week, with Patch Tuesday turning 10, Adobe "going open source" by losing 40GB of code, and Silk Road operator Dread Pirate Roberts getting locked in the brig.
Chet and Duck turn their amusing but insightful attention to the latest security stories...
Who was Dread Pirate Roberts, and where is he now? What happened in Adobe's latest network breach? What is "cryptographic chutzpah", and how do you show it?
Find out in the latest 60 Second Security...
Today, it's Adobe's turn to attend confession.
The multimedia giant has owned up to getting pwned, admitting that "attackers illegally entered our network."
But just how clear is its breach notification?
A whole lot has been talked, over the past week, about BREACH, a newly-documented attack against HTTPS.
Paul Ducklin digs into the theory, shows how it works in practice, and suggests how to soften the blow...
A US Attorney has announced charges against five men in connection with one of the biggest global data theft campaigns ever seen. Accused of working alongside Albert Gonzalez, currently serving 20 years in jail for his role in several waves of data breaches, the gang's activities may have cost their targets hundreds of millions of dollars.
Did you miss anything in the past week?
Here's a recap of the hot 22 stories of the past seven days, so you can catch up quickly!
It's Saturday, and that means *60 Second Security*, where we aim to touch on some of the more thought-provoking security topics of the past week in just one minute of video.
Why not give this week's video a go?
Norwegian-based browser maker Opera has announced a network intrusion.
Users *may* have been infected with malware by an Opera update.
Paul Ducklin offers advice on what to do...
Domain registrar and web hosting company Name.com, part of the Demand Media group, has suffered a data breach.
Crooks have apparently made off with data up to and including credit card numbers...but it sounds as though everything was encrypted, which is a silver lining.
Fortunately, the few passwords that were nabbed were salted and hashed. Also, the company doesn't request sensitive information such as Social Security Numbers and doesn't store financial data such as credit card numbers or bank accounts.
Kudos for good security practices, guys.