
43M passwords hacked in Last.fm breach - runesoerensen
https://techcrunch.com/2016/09/01/43-million-passwords-hacked-in-last-fm-breach/
======
bigiain
Regular reminder that new users in general don't care at all about the
security of your site.

Most of your signups are not going to generate and store a secure password
"just to try you out", as evidenced by the most common password here "123456".
If you force people to signup to try your site/app, many (most?) of them are
going to use a crap password. If you're _lucky_ that'll be 123456, and not
their email/facebook/internet-banking password.

The answer isn't to try and force "good passwords" from users who don't care.
Remember, by definition - they don't care.

We need to start trying to not require users to come up with passwords until
they do care. Maybe just cookie me and let me tromp around as an
unauthenticated user until I do something that needs me to set up a password-
protected account. Maybe ask for my email and send me a login link that hooks
me into my account/data without me setting a password (lets face it, your
password security is going to fundamentally rely on the security of my email
account, 'cause your "forgot password" story says you'll happily send a
password rest link there, right?

I know Start-up-de-jour desperately needs "signed up user numbers" for their
investor pitch, but that's not going to motivate me to stop using 123456 or
password123 as a password when startupdejour.io demands I create an account
just to look around.

~~~
grrowl
Emailing a single-use "sign in link" to a user (Slack calls these "Magic
Links") is the way forward. Yes, it move the single point of failure to the
user's email account, but expecting the regular user to use (and remember)
unique passwords for each service is impossible -- they simply won't do it.
Plus, when/if your service is breached, you won't compromise all their other
accounts as well.

~~~
jcrites
It's really a shame that we haven't solved this problem yet as an industry.

I was thinking we could build a general purpose version of "Magic Links" for
logging in, where the format of the email is well-defined, and the user's
browser is able to receive these messages on their behalf through some form of
integration. You could imagine a webmail provider offering some kind of
polling or websocket API for listening for when these messages arrive.

When the site they're visiting indicates through its web page that, "I'm
trying to authenticate you by email", then the browser can fetch recent
incoming messages of this type, then parse them and display UI chrome like
"Xyz.example.com wants to authenticate you". You click a button to log in
passwordlessly, which involves sending an HTTP request to a link specified in
the email. Coordination occurs on the server side and the login is allowed.

There are probably some details I'm not considering, but it doesn't seem like
it'd be too hard to build a prototype, and if standardized and deployed it
would eliminate the need for passwords. I gather that Mozilla Persona works
along similar lines, though I confess to not knowing the exact details. There
would be practical difficulties integrating all of these things together,
though: email, browser, and website login, and gaining adoption in the real
world.

There are also sites that don't require email on signup, but this feature
could be supported only for people who want to supply email. The email address
used for this feature could also be a different technical address unrelated to
the primary mailbox, where only login requests are sent. This could also help
expedite the email traffic to ensure it's real-time. The browser could
automatically fill in the email address when challenged by a website
supporting this login method.

Alternatively, perhaps a browser vendor could introduce a de facto standard
where sites can integrate via an API with the browser's password safe
features. Chrome can save passwords and synchronize them across devices. Maybe
it wouldn't be too hard for sites to comply with a microformat that helps the
browser understand when to generate a password on signup, and when to provide
it, etc.

~~~
kodfodrasz
You seem obsessed with one implementation. Passwords themselves are obsolete.

Actually the problem is already solved for at least a decade: Certificate
based authentication. Browsers support it. Try StartSSl registration, for
example.

~~~
bigiain
Yeah - but that's like saying "email security and integrity has been solved
for two decades", while _technically_ true, how many of you have talked your
mom through setting up PGP and had her then "just use it"? (or tried to
handhold a less-than-technical colleague through getting a StartSSL account?)

I'm pretty sure if any service less-technical than a CA authority starts
pushing wide-spread user-driven in-browser certificate-based authentication,
within days there'll be scammers and phishers faking the setup process to
install untrustworthy ssl root certs so they can mitm
Paypal/Facebook/everybody... How would _you_ explain to your mom the
difference between installing Pinterest's new authentication certificate, and
installing, say, the Charles Proxy ssl MITM cert?

~~~
drdaeman
> How would _you_ explain to your mom the difference between installing
> Pinterest's new authentication certificate

Actually, even with current terrible UIs, there's a reasonably big difference
between installing client certificate (there even used to be a <keygen> HTML
tag for those - although it's unsurprisingly marked as "deprecated" now) and
trusted CAs.

------
matt_wulfeck
I would like to see websites make password changing a simple and standardized
API call. That way integration with things like 1password will allow it to
automatically change the password with each login. Or I can schedule them all
to be updated every day, etc.

This drastically reduces the amount of valid logins from a dump that's even
just a few days old.

2factor is simply not enough (though I still want it for important logins).
Automatic password changing would be complimentary.

~~~
dogma1138
>I would like to see websites make password changing a simple and standardized
API call. That way integration with things like 1password will allow it to
automatically change the password with each login.

There isn't really a need for a standardized API it would make things easier
but if 1password wanted it's not a very hard thing to do without it.

All you need is to do an HTTP request to change the password most sites allow
that to be done in a single request, CSRF might be an issue but non single
action forms are usually not protected or there is no need for that and there
are ways to bypass CSRF also.

For a company like 1password it wouldn't be hard to build a request profile
for say Alexa 500/1000 and automatically change the passwords once a breach
hits, I have a similar setup of several scripts that update the password for
various services I have by generating a random password in Keepass getting the
old password sending the password request post and updating the Keepass entry.

~~~
datguacdoh
LastPass does this. I actually used it about a year ago to automatically
change the passwords on about three dozen sites. It failed on two pages that
had recently been updated. It's a very useful feature though.

------
runesoerensen
_> The number of passwords and the severity of the hack was not uncovered
until today. The passwords were stored using unsalted MD5 hashing_

Enough said.

 _> The most popular password pulled from the Last.fm database was 123456.
Seriously, it’s 2016 people_

Sure, but the breach was in 2012 TechCrunch. Better article:
[http://www.leakedsource.com/blog/lastfm](http://www.leakedsource.com/blog/lastfm)

~~~
jrowley
Also the bulk of the users signed before that date. [0] Last.fm is one of my
favorite sites. Sad that is dying :(

0\. rough heuristic:
[https://www.google.com/trends/explore?date=all&q=last.fm](https://www.google.com/trends/explore?date=all&q=last.fm)

Edit: If anyone wants to add me on last.fm here is my profile!
[http://www.last.fm/user/joer14](http://www.last.fm/user/joer14)

~~~
rawrmaan
Wow! They had some great growth going on and it seemed to hit a wall hard
around 2008-2009. Any idea why?

~~~
anexprogrammer
Easy. CBS bought them late 2007. Dev and updates pretty much stopped. They
limited tracks you could play directly.

Then they killed radio.

I'm really sad to see it die, it was better at introducing me to new artists
than any other service before or since, and the radio was brilliant.

~~~
joecool1029
Oh you must have left awhile ago then. I agree they ruined the best music
discovery service on the web, but even without it the site was dated but
functional.. until last year.

Last year CBS decided the whippersnappers needed a redesign and took out
around 80% of the features and put the site into a perpetual beta state.

~~~
anexprogrammer
Didn't really give up until they had the fabulous idea to replace direct
streaming with playing poor match Youtube videos as radio. That killed radio
finally and made a none functioning joke of the main reason I bought my
network music player.

Was mad about that as Last radio was my first choice for work listening.

The site was dated as they were frozen in 2008 - After CBS bought them there
was one update very soon after then the site didn't change at all until last
year. Minor updates and bug fixes only.

As for the update last year, pretty and vacant, doesn't bring back the things
I loved about the site, but lets me see lots of pretty graphs of things I'm
not interested in. I took a look at libre fm after that, but that's even more
abandoned.

------
DangerDOOM
>Hashing is a method for encrypting data

No it isn't.

> MD5 is seriously out of style

That's, err, one way of putting it.

> The most popular password pulled from the Last.fm database was 123456. L
> Seriously, it’s 2016 people

These accounts were made more than four years ago...

> use a platform like LastPass

Yeah about that...
[https://news.ycombinator.com/item?id=9721212](https://news.ycombinator.com/item?id=9721212)

Poor reporting is poor. Why do I expect more from TechCrunch?

~~~
Sammi
Md5crypt Password scrambler is no longer considered safe by author:
[http://phk.freebsd.dk/sagas/md5crypt_eol.html](http://phk.freebsd.dk/sagas/md5crypt_eol.html)

Also a better way to explain hashing algorithms to the lay person is to call
them fingerprinting algorithms.

------
josteink
> it’s 2016 people — use a platform like LastPass to generate randomized,
> complex passwords that are unique to every service for which you sign up.

Another way to read this statement is that passwords simply doesn't work. We
need something different. Something better.

And from the comments we find this:

> I am a bit confused. The article states that this happened in 2012, why is
> it posted today? Something happened in relation to this breach?

I think this also needs much better clarification. What has happened since
2012 which makes this newsworth now? And where is the LeakedSource report they
cite but never link to? Where can I get more info?

This is very bad reporting.

~~~
chriswarbo
> The number of passwords and the severity of the hack were not uncovered
> until today. The passwords were stored using unsalted MD5 hashing.

------
brian-armstrong
123456 is actually a /fantastic/ password if you don't care what happens to
the account. If you aren't going to the trouble of using a password manager,
and the account doesn't mean much to you, then using weak passwords like this
rather than your "good" password is a great idea. Save the entropy for your
email and bank accounts.

~~~
atdt
I see your point, but 123456 is still a stupid password. A brain-dead password
scheme like "1 <NameOfMyCat> <Domain>" (e.g., "1 Snuggles last.fm") is just as
easy to remember, won't show up in rainbow tables, is nominally difficult to
brute force, and you're more likely to be able to use it, as opposed to
'123456', which many sites will balk at.

(To be clear: I am not endorsing this scheme. It is superior to '123456', but
it is still bone-headed.)

~~~
vidarh
The point is that you should only use this kind of password in places where
you _really_ do not care about someone else getting access.

It doesn't really matter what it is. It matters that it's something you're not
for a moment tempted to think of as a "real" password and that you would never
dream of using for any account where a data leak would affect you, but merely
as a "they're stupidly asking me for a password for an account I don't care
about, so lets just give them this" token.

I'd lean towards agreeing with you that it's better to pick something else,
but only to slightly reduce the inconvenience of someone messing with your
account "just because".

------
AdmiralAsshat
Speaking of Last.fm, I really wish the thing had app-specific passwords as an
option. I've been shuffling between Linux music players as of late, with
Scrobbling as one of my requirements. Most of them have just required a login
and pass instead of using OAuth. It would be nice if last.fm let me authorize
them on an app-by-app basis.

------
yladiz
Man, I'm getting desensitized to the enormous numbers of accounts whose
information gets leaked when a platform gets hacked. 43 million here, 68
million there. I'm semi-joking, but at this point it's almost like I need
Facebook or Google level hacks (multiple hundred millions or billions) to
actually think, "This is _huge_."

~~~
elliotec
I've been thinking that for a while, but also how come it's never me? I've had
accounts with several hacked systems and sure I try to have pretty strong
passwords but... I appear to be safe every time.

Famous last words maybe, but then I'll just change my password?

~~~
yladiz
You may appear safe but you never know... Services like Google and Facebook
are pretty proactive about making sure unknown users can't access your account
easily -- meaning that if someone from Thailand tried to access your account
when you usually use it in the US from an unknown device, it'll generally not
allow the login. But other services aren't as proactive and may be
compromised, so it's definitely better to be safe. The best way is to use
unique passwords for every service (or use OAuth with a service provider you
trust), and a simple way to do that is with a password manager.

I personally recommend 1password, because they haven't had vulnerability
issues like LastPass and don't store passwords in their cloud, but they store
it in "your" cloud, e.g. iCloud, Dropbox, and it works very well on iPhone.
But at the minimum just using a separate password for everything is the best
way to mitigate these kinds of issues.

~~~
chmars
1Password is moving to its own cloud service … although you can still use the
traditional app with third party syncing for now.

~~~
yladiz
Really? That's one of the main reasons I chose 1Password... Here's to hoping
they keep both ways to sync!

------
StavrosK
It looks like our current approach isn't working. What if we had each site
publish its login/registration endpoints in a URL, e.g. .well-known/loginurls?

Then the password manager could detect you're trying to register or log in and
log you in itself, generating your password in the process. Why aren't logins
machine-accessible yet?

~~~
dogma1138
Password managers already do that, they just check for password type field and
the site.

Keepass does that pretty sure all the others also do.

But again what problem are you trying to solve? using password managers is
easy as pie today including automating signup and generating passwords, most
people do not use them.

~~~
GolDDranks
I started using LastPass just the other day because the recent news made me
nervous.

It's NOT easy. The interfaces are clunky. I have to pay to get some basic
features like browser plugin. There's a lot of false positives (it suggests me
sometimes to save a password even if the field is not for passwords.)
Generating secure passwords is hard because some sites validate length and
charset only serverside and the poor manager has the invalid password already
saved. Some sites play tricks to discourage pasting passwords. More than once
I was unable to log in LastPass's online vault because of an "temporary
error".

All in all, it was horrible, ergonomy-wise. I don't wonder at all why people
aren't using them.

~~~
toomanybeersies
I'm using lastpass and I haven't had to pay for the browser plugin.

I've been using lastpass for the past year or so, and I've had no real issues
with it ergonomics-wise. I can't even think of any sites off the top of my
head that have given false positives.

It does seem painfully slow and unresponsive sometimes though, which isn't
ideal. It's slow enough to disrupt my flow more than just typing in the same
password for every website.

~~~
GolDDranks
I could use the plugin for a trial period, but now it says that I have to be a
premium member? Maybe it's because I also installed the app to my smartphone,
thus my smartphone become the one device I can use the free version with?

~~~
nommm-nommm
Opposite. You can use the browser for free. Mobile costs money.

------
kevin_thibedeau
It would be nice if the EU would do something useful like require all sites to
hash salted passwords and prohibit the use of weak hashes for new accounts.
Instead we get the ridiculous cookie nag.

~~~
hkjgkjy
Being European and computer literate, I hope the EU stops creating stupid and
pointless internet laws

~~~
angry-hacker
Another vote from a fellow European to keep Brussel bureaucrats out of
internet.

They have no clue or somehow good intentions always turn our horrible.

An old saying about countries that can't get together a government (like
ironically Belgium!) - - it's the best for the people for having a country
without the government because then they can't make more stupid laws.

------
finchisko
The tragicomic part is how they enforcing password complexity:

Your password is not strong enough. New passwords must: Be at least six
characters long Contain one or more numbers Include at least one of the
following special characters: !"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~, or a space

So password efZeLmur3ivio4t7 is not safe enough to be used by last.fm and they
use md5 without salt to protect it?

~~~
nathanaldensr
A password that follows that "security scheme" is _pass1!_ , which KeePass 2
reports as having a quality of 18 bits. _efZeLmur3ivio4t7_ , an illegal
password, has a quality of 86 bits. Whoever was responsible for that decision
should be fired. Either implement a _real_ password strength algorithm based
on entropy, or don't implement any except maybe minimum length.

~~~
finchisko
not just fired, but shot dead :-)

------
xuejie
Yes, we could argue that user should use more secure password, but on the
other hand, I always wonder why startups these days are still busy rolling out
their own custom account management than leveraging OAuth or hosted solution
like Auth0. Seriously, in how many cases do we have a feature that is so
unique that is not available via these alternative solutions?

Even though I have 1password setup, I would be so reluctant to create new
passwords, I'm more willing to use OAuth whenever I can.

------
LinuxFreedom
Recommending a closed source cloud service to send all your passwords to in a
thread on HN about a closed source cloud service that lost all passwords is a
great way to demonstrate deep and fundamental knowledge about the principles
of software security!

------
ramblenode
> The passwords were stored using unsalted MD5 hashing

Ouch.

I guess on the bright side it won't be long before researchers have a new
dataset of plaintext passwords.

------
NamTaf
I spent 3 days off work a few weeks ago watching the Dota International and
spent the whole time searching through my emails for 'account',
'registration', etc. trying to find everything I'd ever signed up to and
finally move it all to a password manager because I really knew better and was
lazy for the past several years. It took 3 days of like 6 hours a day half
doing this to update all that I could think of and find. That ended up being
about 150 passwords in total.

Even still, I missed last.fm and probably a whole host of other ones that I'll
never remember. Passwords are a goddamn nightmare.

------
transfire
Please get rid of passwords. Thanks.

~~~
bigiain
I don't know who's downvoting you - but this is a really important idea.

As a new curious user of your new startup's website, I don't give a damn about
being "secure". I've probably given you a fake name and a stupid password just
so I can poke around and see if your site sucks any less than the other 5 or 6
new sites desperately craving my attention this morning.

If I can get in and look around without having to lie about my personal
details - you're _way_ more likely to get a"proper password" and my real
contact details if/when I decide I'm actually gonna add you the the list of
"stuff I use" instead of "crap I signed up for once and never went back again"
or "site I used a few times but none of my friends signed up so I stopped
going there".

~~~
bschwindHN
Probably getting downvoted because these comments are common and don't make
any suggestions on how to get rid of passwords.

------
CWuestefeld
Question about password best practices. Our site just went through pen
testing, as part of auditing for PCI compliance.

One thing we got dinged on was that we don't keep a password history, so that
the user can't revert to their previous password. The tester's report said,
"This, in turn, results in users utilizing a single password for a long period
of time, which may result in password disclosure"

It seems to me that this is the opposite of the truth. If I'm keeping a
password history, then in the event of a breach, there is that much more data
that would leaking, potentially disclosing password data if we made a mistake
in the rest of how we handle it (hashing, etc.). And while I'm not a crypto
expert at all, it seems to me that if there's a list of salted, hashed
passwords, then given that the salt is a constant per user, an attacker would
have some leg up in discovering the original password if there were many
samples that included the same salt.

If I want to minimize the data I can disclose about users, I ought to minimize
the amount of data that I'm storing about them.

~~~
dspillett
It is a risk trade-off: letting the user reuse passwords used in the last X
months is seen as less risky than storing the last 12 passwords (assuming the
user is made to cycle their password monthly) _if_ you are storing the
credentials securely (if anything is plain or reversible, you need to fix that
ASAP).

Having 12 strongly salted+hashed password strings is not going to help an
attacker much compared to having 1, even if you use the same salt (though I've
not doe the maths myself, you'll need to ask a cryto expert for actual risk
figures).

You could of course use a different salt per stored password instead of per
user, to mitigate this completely.

Remember that password reuse risk flows both ways: if they reuse the password
in your application and your application is well written with regard to
securely storing credentials, they may be reusing the same password in another
application that is less secure so you are more at the mercy of the password
data from elsewhere that is storing things plain.

------
xorgar831
This is practically a startup, a service that just monitors and automatically
updates your passwords as they get leaked over time.

~~~
analogmemory
1Password has a feature called Watchtower that can tell you if your password
for each site is vulnerable.

~~~
ketralnis
Unfortunately it triggers any site that it doesn't explicitly know wasn't
affected by heartbleed, which makes it trigger that vast majority of my
passwords. This renders it more or less useless :(

------
Naga
Maybe now I can get access to my account. I forgot my password and tried to
jump through their hoops to reaccess my account. They involved calling the
support department during business hours. It was the holiday season, so I just
gave up.

------
nly
We've had zero knowledge password authentication protocols for 20 years. At
this point, any pain and suffering from these leaks is blood on the hands of
browser vendors and web standards bodies.

------
pwinnski
Hmm, I used to use last.fm, better change my password. Hmm, 1Password shows I
was using a generated unique password, so that's good, though it wasn't as
long and complicated as the ones I use now. And this password was generated
June 7, 2012. Wait, when was the hack again? March 22, 2012.

Ah, looks like I was covered. But hey, now it's an even longer password with
even higher entropy, so that's not a bad thing.

------
Xorlev
2012 was a good year. Fine vintage passwords.

------
guard-of-terra
New passwords must:

    
    
        Be at least six characters long
        Contain one or more numbers
        Include at least one of the following special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~, or a space
    
    

There's no way I'll remember a last.fm password like that! :(

~~~
kodt
Password managers are a must these days.

~~~
guard-of-terra
I have several devices and enjoy being sometimes login on stray device I don't
own.

------
amq
Is it really that difficult to upgrade all passwords with something like
bcrypt(original md5)?

~~~
theandrewbailey
It's not that it's difficult; it's not a good idea. It does not increase
randomness (entropy), and would probably decrease it. In that situation,
update the hash with a new method upon login.

------
naibafo
On that note I was just reminded that I could delete my account since I am not
using it anyways anymore.

Apparently they removed that option very recently and now you can only 'close'
it, which hides it but doesn't ever deletes it. :/

------
Artoemius
Is there a reason to have a password other than 123456 on last.fm?

------
fahrradflucht
Wow it's 2016 and Last.fm still isn't on HTTPS for anything other then login.
And the "new frontend" is in beta for around a year IIRC...

------
tudorw
shit, my musical taste laid bare for all to see, better start packing...

------
arrty88
can someone please make a startup that upgrades unsalted md5 passwords to
something better

------
unicornporn
[NSFW] "Nothing Better Than Gay Sex"
[https://i.imgur.com/PsRAsLi.jpg](https://i.imgur.com/PsRAsLi.jpg)

Nothing wrong with the message per se, but has the site been defaced too?

~~~
dgnrjrrnfn
Posted four hours ago! Last.fm is truly on its last legs.

------
Alex3917
We really need some laws around this... Prison time for web developers that
store passwords insecurely, and substantial fines for anyone whose password
can be brute forced from one of these leaks.

~~~
001spartan
As someone who has very strong feelings about sites not letting me choose
secure passwords, or storing them insecurely...no.

Fines for storing passwords insecurely and getting breached, sure. This is
already handled by PCI/HIPAA, but could definitely stand to be improved.
Prison time? There's no possible way that would end well.

Fines for "anyone whose password can be brute forced from one of these leaks"?
So that means 80% of people out there would be given "substantial fines". Not
going to happen.

~~~
Alex3917
> So that means 80% of people out there would be given "substantial fines".
> Not going to happen.

How is that any different than giving speeding tickets? If you behave
recklessly in a way that puts others at risk, you should have to make
restitution to society.

~~~
runesoerensen
Hmm not sure I understand your reasoning here.. You don't think there's a
difference between speeding and choosing a weak password for a site like
last.fm? The latter might be a bit silly, but how does it put others at risk?

~~~
Alex3917
With the Dropbox hack for example, the reason they got hacked is because one
of their employees reused a password, presumably from another site that got
hacked. So that's one vector, where every time a site gets hacked, people
using weak passwords (and reusing them) create the risk of future hacks.

But more generally, exposing your account credentials allows others to
impersonate you and potentially scam others, expose the data of others, etc.
In the case of Last.fm there obviously isn't a ton of potential for abuse
directly, other than maybe firing off fake song plays to pocket the royalties,
but the potential for greater harm exists in the general case. E.g. consider
the enormous percentage of credit card transactions that are fraudulent,
largely because of scammers using PII that's stolen in these large scale
hacks. That absolutely effects the fees and interest rates for everyone else
using banks in any way, so even if your own identity isn't stolen you're
absolutely still affected.

And even in some hypothetical scenario where the only person harmed would be
the person using the weak password, there is still precedent for regulation
because we have laws requiring people to wear bike helmets, preventing kids
from smoking, etc.

~~~
runesoerensen
Got it, I certainly disagree and don't think the 41.000.000 last.fm users
(whose passwords were cracked in two hours) should receive a substantial fine.
I don't think there's a whole lot of precedence for this type of legislation
either; what you're suggesting requires at least two other crimes to be
committed by someone else (before someone else would potentially be at risk
due to the user's bad password choice) - in addition to recklessness on behalf
of the service provider (which also may be regulated and/or illegal under
PCI/HIPAA/etc as grandparent points out). In other words:

1\. User signs up for a web service, uses weak password.

2\. Web service recklessly stores passwords/hashes in an easily crackable way.

3\. Someone hacks the web service, steals usernames and passwords/hashes, then
leaks the data.

4\. Someone _potentially_ uses the leaked credentials/user information to
impersonate user, commits identity theft, fraud etc.

5\. User receives a _" substantial fine"_ for using a weak password (like 96%
of the users of this online music service).

I had written a more long-winded response, but it probably suffice to say that
there are major issues/contradictions/implications of what you're proposing.
Like how would you enforce it, should law enforcement only rely on data
theft/leaks, or should they have direct access to all user databases for
online services? How would they prove the integrity of the data leaks? How
would you prove that the password is reused, and how'd determine the size of
the fine? Does it matter if the password is strong, but reused and one of
those services stores it in plain text and is hacked? Would it be legal to use
a weak password for a service if the hashing algorithm is strong, or just as
long as the service isn't hacked and the data leaked?

~~~
Alex3917
> How would they prove the integrity of the data leaks?

Most jurisdictions already have security breach notification laws. If you're
already required to report data loss to customers and/or the government, then
at that point I don't think it's unreasonable to require companies to provide
a copy of any leaked credentials since they should all be deactivated anyway.

> How would you prove that the password is reused, and how'd determine the
> size of the fine?

If companies were required to turn over credentials that had been breached,
then this would be determined from the entire set of breached credentials.

> Does it matter if the password is strong, but reused and one of those
> services stores it in plain text and is hacked?

Sure, that's exactly why you're not supposed to ever reuse passwords even if
they're strong.

> Would it be legal to use a weak password for a service if the hashing
> algorithm is strong, or just as long as the service isn't hacked and the
> data leaked?

I think there should be some minimum entropy level that's required regardless
of the hashing algorithm. E.g. given that passwords can be automatically
generated and stored, there is zero reason ever to use a password that's less
than 30 characters of completely random characters.

> what you're suggesting requires at least two other crimes to be committed

The fact that these crimes are interconnected is why such a law is needed in
the first place. And all these attacks are automated, so if you're reusing
your last.fm password on Facebook and it takes ten minutes to brute force your
last.fm password, then your Facebook account is going to potentially be pwned
in ten minutes and 1 second.

If there were some benefit to having weak passwords then that would be one
thing, but the way I see it it's just people creating a national security risk
out of pure laziness.

~~~
okwhatthe2
This is some serious Gulag Archipelago shit you're laying down here manbro.

