Sophos Cloud Optix
Formspring is the latest in the seemingly unending list of websites to have suffered a security breach – with the password hashes of at least 420,000 users compromised and posted to the internet.
A blog entry posted by Formspring’s CEO and founder Ade Olonoh explains that the passwords of all 28 million users have been disabled (after all, only 420,000 have been posted on the net – but who knows how many the hackers may have accessed?).
According to the firm, usernames and other identifying information were not published alongside the stolen password hashes. Furthermore, in a positive sign, users were told that the SHA-256 hashed passwords were salted – and that Formspring is now tightening security further by introducing stronger bcrypt cryptographic hashes.
Formspring also says that it has identified the security hole that allowed a hacker to breach its systems:
"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."
To their credit, Formspring appears to have dealt with the security breach quickly and fairly transparently.
There are undoubtedly lessons to be learnt from the hack – and users would be wise to ensure that they take heed of the advice to use unique, hard-to-guess passwords on different websites – but I’m much more impressed with how Formspring has handled this incident than, say, LinkedIn.
If you’re interested (and you should be!) listen to Naked Security stalwarts Paul Ducklin and Chet Wisniewski discussing password complexity and reuse in this podcast:
Listen now:
(Duration 14’35”, size 10.5MBytes)
Listen later:
Login form image, courtesy of Shutterstock.
Is there a repository of hacked accounts so admins can search for @mycompany.com to see if anybody in their firm is impacted? Because inevitably some users of that site have the same password for their corporate network…
And to see the exact opposite, a french newspaper had a bug in comment system that were giving away your password in clear text in a google-referenced URL. They took two day before doing something, and tried to blame pirate.
Given the number of forums and websites one can belong to, how is one supposed to remember or store many “unique and hard to guess passwords” in a secure manner without either writing them down or using a browser password saver?
Another question is is what most people post on forums worth it?
"how is one supposed to remember or store many "unique and hard to guess passwords" in a secure manner without either writing them down or using a browser password saver?"
You're not supposed to remember them all. Just use KeePass or LastPass. Or use some kind of algorithm to generate passwords from the sites' names.
…or, if you're running Mac OS X, you can use KeePassX.
@dekks,
Quite easily, use a software package like KeePass or LastPass with a strong master password.
You only need to remember one password (master password) and you can copy and paste your website password(s).
No need to remember many, also means no excuse not to use different passwords.
I respectfully disagree with using password managers. They can be hacked.
I use an electronic memory typewriter, which I can update at any time and print a list
of passwords, website names, usernames, logins, etc. I keep backup hard copies
in a safety deposit box, among other secure places.
When not in use, the lists are kept under lock and key. The memory module to the
electronic typewriter can be uninstalled, or a backup uploaded to a flash card, and
I can delete everything on the typewriter, and restore it if needed. The flash card can
be stored in a seure location, and so can duplicate backups.
The typewriter has no Internet connectivity, and no networking ability. It CANNOT be
hacked at all. The typewriter can be locked up too when I go out to lunch or leave the
premises for any reason.
These are the ONLY secure methods I know of to have, maintain, and secure pass-
words and logins. Anything else is less secure.
can someone read the impacts on your ink ribbon? I would think that ribbon you have there is a nice log of everything you typed recently. . .
You have to draw a line in the sand between usability and security. Its a trade off.
I'm sorry Robert, but your average Joe isn't going to use something as complicated as an electronic typewriter. Its just too hard. We need to encourage methods that are more secure then password reuse, but not so secure they aren't used.
I agree, your method is more secure due to a lack of connectivity, but it too can be "hacked".
What if you forget and leave it on your desk and head off to make a cuppa? You say you wont, but one day you will and its more likely this will happen well before someone hacks my master password in KeePass.
Use Password Safe passwordsafe.sourceforge.net, it’s free, open source and portable.