LivingSocial password breach

Why LivingSocial’s 50-million password breach is graver than you may think | Ars Technica: " . . . SHA1, the algorithm used by LivingSocial, is an extremely poor choice for secure password storage. Like MD5 and even the newly adopted SHA3 algorithms, it's designed to operate quickly and with a minimal amount of computing resources. A far better choice would have been bcrypt, scrypt, or PBKDF2. In another understatement, O'Shaughnessy added: "We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same of similar password(s)." It's unfortunate company officials weren't more insistent on this point. Based on everything we know about modern password cracking, it will be trivial for the attackers to crack a large percentage of the LivingSocial passwords. Since the breach also exposed customer names and e-mail addresses, attackers can then try those passwords on other accounts held by the victims and easily access those that match. (The Washington, DC-based LivingSocial, which is partly owned by Amazon, is requiring all account holders to change their passwords.) . . ."


more news below

Follow @zqure