Increased database password encryption

[Rebs]

  What do you mean?

[BlackVice]

Remember, using a weak password is not much worse than using the exact same strong password everywhere. ^^

QFT

and that's just what I do - use a dumbass password across all sites at which I can afford to "share" my account on, i.e. for mostly read-only content.

id like to point out tho, your account on BakaBT isnt a "read-only content" sort of account. If anyone did anything to your account, which resulted in you getting not only the account banned, but also the IP banned...

while others may know ways to get past that...well, not everyone.

[Excel]

Ok, one question,
how is a better encryption going to change anything?

The passwords are shit, and when dictionairy attacking all of those passwords will most likely be in the top 100 of the dictionairy.
(Except for dragon, shadow, gundam, pokemon and naruto).

But in the end, since a dictionairy attack does not rely on reading anything from the database at all,
it doesn't even matter whether the passwords are encrypted with an extremely strong algorithm or not at all...

[blubart]

in case someone gets somehow his hands on the db it won't be a matter of seconds to convert the md5 hashes of 3k users back to usable passwords?

[luuk]

1>how is a better encryption going to change anything?

2>But in the end, since a dictionairy attack does not rely on reading anything from the database at all,

1>Incase bakaBT has a leak in their code and you can perform injections to the database its not so easy to obtain the password(s).

2>Yes it does, it compares his "dictionary file" passwords (and users) to the databases.
But a well programmed system prevents these attacks by a limit on login attempts.

[Falaina]

I'm going to assume that passwords are stored using hashes and this list was determined via a test dictionary attack (please please let this be true).

With that aside, why are passwords unsalted? Additionally why would you provide a would-be attacker with a list of valid passwords for ~2000 user accounts?

[Chiyachan]

Well, actually, the passwords ain't hashed or anything.
They're all readable. If we wanted, we could download the entire list of usernames, passwords and email addresses.
When joining staff though we have to promise not to download it for personal gain, (such as selling it to advertising companies.)

[Natheria]

With that aside, why are passwords unsalted? Additionally why would you provide a would-be attacker with a list of valid passwords for ~2000 user accounts?

Because most of those passwords would be used by any would-be attacker without a second thought anyway, simply because there are so many people who actually do use lazy ass passwords like this (12345? qwerty? seriously? You do that kind of thing with an Xbox Live account, not here).  :'( Then these same people wonder why they keep getting viruses and then have to resort to using a mac. 

And if anyone in that list is still using the same password and not feeling bad about it, they deserve to get their account ratio leeched. Hence why they did this in such a public display, to get people to change their passwords.

[kurandoinu]

Then these same people wonder why they keep getting viruses and then have to resort to using a mac. 

Um, I'm sorry... but what? : /

[Rebs]

^ Let's not start the "PC v.s. Mac" discussion here people, please.

PC FTW, Hell Yeah!

[SomeoneElse]

I just don't get why someone would pay for linux... not only do they pay for linux... they pay for incremental updates to linux... WTF?

[Mirgond]

OS X is not Linux, it's a Unix :/ There is quite a difference...

[Xiong Chiamiov]

OS X is not Linux, it's a Unix :/ There is quite a difference...

Indeed, there is; OS X is actually a bastardized version of BSD, and you go tell a BSDer that he's using Linux and see what happens.

I'm going to assume that passwords are stored using hashes and this list was determined via a test dictionary attack (please please let this be true).

Yes, the passwords were hashed.

With that aside, why are passwords unsalted?

They aren't, any longer.

Additionally why would you provide a would-be attacker with a list of valid passwords for ~2000 user accounts?

They don't need our list to figure those out.  Did you *read* the list?

[Rebs]

Additionally why would you provide a would-be attacker with a list of valid passwords for ~2000 user accounts?

They don't need our list to figure those out.  Did you *read* the list?

  I can't believe that guy said that. He/she must have had a mormentary mental lapse

[Klocknov]

Additionally why would you provide a would-be attacker with a list of valid passwords for ~2000 user accounts?

They don't need our list to figure those out.  Did you *read* the list?

  I can't believe that guy said that. He/she must have had a mormentary mental lapse

Maybe his password was on the list, that could also be a reason.

[Rebs]

I also assumed that to be the case

[maldarthe1st]

Wow, never thought that people really used such crappy PassWords.

[furuoshiki]

Is there a way to use non-standard characters in passwords?

Such as: Bëírût?

It may be possible but I have never tried it.

[Rebs]

Is there a way to use non-standard characters in passwords?

Such as: Bëírût?

It may be possible but I have never tried it.

You raise an intriguing question...