

32mil passwords compromised, SQL injection attack on RockYou - wmblaettler
http://www.guardian.co.uk/technology/blog/2009/dec/15/rockyou-hacked-passwords

======
kristianp
This reminds me that a certain large site includes my username and password in
its periodical mailings (PlentyOffish.com). This means they don't use a one-
way hash for the passwords.

------
chriseppstein
This is negligence; plain and simple. Users have a right to expect web service
providers to keep their private information secure with basic industry
standards. Someone should sue them and set a precedent.

<http://en.wikipedia.org/wiki/Product_liability>

~~~
jrockway
Users should not give third parties private information. If you care so much,
just pick a different password for each site...

------
potatolicious
C'mon guys, this is the year TWO THOUSAND AND NINE, are you seriously storing
plaintext passwords in your DB?

Normally I'm not so hasty to call for head-chopping and head-rolling family
fun, but I would think this is entirely called for.

~~~
jchonphoenix
In addition, this is the year 2009. SQL INJECTION by a company this big? Thats
rather sad.

My final project in class gets and instant 0/100 (40% of the grade) if SQL
injection was possible...

~~~
potatolicious
Ehh... SQL injections are not on the same order of seriousness as storing
passwords in plaintext, IMHO.

The average web service has a complexity far greater than any college course
project. SQL injections can be mitigated using the correct tools and
methodology, but things like this (and buffer overflows) will continue to
exist. Such is the nature of things.

There's "oh man, this one variable isn't sanitized", which is a bad, but
understandable mistake.

Then there's "oh man, we don't encrypt our passwords AT ALL", which really
belongs in the realm of mistakes made by 15 year-olds.

No seriously, the last time I made that mistake was when I was 15.

------
lzell
.5% of the world's population, stored in plain text. Bravo.

------
mhartl
This is why the Rails Tutorial book (<http://www.railstutorial.org/book>) will
be teaching authentication using salted, hashed passwords. Watch for Chapter
5, due out some time around New Year---and please forward it on to the nice
fellows at RockYou. (Maybe, while we're at it, we can get them to ditch PHP
for Rails.)

~~~
inklesspen
Will you be doing it the right way or the wrong way?
[http://www.matasano.com/log/958/enough-with-the-rainbow-
tabl...](http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-
you-need-to-know-about-secure-password-schemes/) is a good basics guide.

------
staunch
Does anyone know how much these 32 million verified and virgin email addresses
will actually sell for in the spam underworld?

Totally guessing I'm thinking $0.50/1000 to $5/1000 for: $16,000 - $160,000.
But I don't even know if I'm in the right ballpark.

I also assume you can resell these many times, so it could conceivably be
worth hundreds of thousands.

~~~
potatolicious
This is more valuable than spam - you have _passwords_ , which for most people
are practically global. You also have their email addresses, which nowadays
are basically the same thing as login.

You just opened the door to _everything_ about these users.

~~~
staunch
I understand that. I remain very curious about the question I actually asked
though.

------
tyrmored
Read about this yesterday. Still can't believe that a web company could get so
big without _somebody_ screaming to hash the damn passwords.

~~~
robryan
Probably a case of lazy programmers there going 'It's not my problem, I didn't
write it'

