Hacker News new | comments | show | ask | jobs | submit login

http://blog.youporn.com/youporn-data-not-exposed/

It was actually the passwords to YP Chat, not Youporn itself. The Yourporn guys are pretty reasonable engineers and sysadmins, from what I've seen, and manage user passwords correctly.

Personally, I think in 2012, if you're not using a password manager to generate and manage unique, strong passwords per site, especially for "sketchy" stuff like porn sites, you're already doomed.

Also, Presidents Day and other minor useless holidays are great times for annual rituals like tracking down and changing any legacy shared passwords you may have. Don't wait for a breach!




I'm going to guess that there's a significant subset of YPChat users who also created YP accounts and also used the same login credentials for both...I mean, how many users who are savvy enough to create multiple-logins/passwords for a site and its chat subdomain would even create an account (one linkable to their identity) on YP in the first place?


The sad thing is, people don't use password managers out of laziness despite the fact that it actually speeds up all of these processes. One password unlocks it, one click to login to any of my sites with strong, secure, unique passwords. Autofills out registration forms and generates a unique password for me. It's faster than me having one memorized password.

Yet, friends and HN hackers alike have scoffed at my attitude which is roughly the same as yours. If you're blindly trusting sites with a non-unique password, it's only a matter of time.

(edit) To get ahead of the repeat replies, LastPass syncs across browser extensions, encrypt/decrypts locally, can be accessed from any browser even without an extension and has mobile apps. I've been using it for probably two years now and I've never not been able to access an account even when using all varieties of guest computers, iPads, etc.


The thing with password managers is that the most convenient ones store your data in a server somewhere. And that opens up more issues than it solves.

For the ones that store information in a local file, that could work. But then a lot of the mobility is lost, even if you use something like Dropbox (you are not going to sync behind a corporate firewall, for instance). At least my brain is attached to my head and is very portable, I just have to remember the damn things.

That said, do you have recommendations?


I really like 1Password (but I use only macs for low security laptop/desktop stuff) -- the browser extension is great, and the iOS apps sync over wifi or dropbox.

The one thing I'm waiting for is iCloud integration. If they don't provide iCloud integration, I'd consider other options (including trying to roll-your-own, maybe using their extensions and spoofing the IPC)


Try SHA1_Pass. I'm the author. It's open Source. Runs on Linux, Windows and Macs. It generates passwords, it does not store them.

Edit: Here's a link (no ads or other junk). http://16s.us/sha1_pass/


I answered the other person that replied. LastPass syncs across browser extensions, you can access your data from their website, it's all encrypted/decrypted locally and there are mobile apps so you can always access them securely even if you don't trust the guest computer.


I don't use a password manager because I don't always use the same computer. As a student I use a number of different machines on campus. A password manager would be extremely inconvenient.

I do, however, use a simple templated password. By including a few unique characters (following an easy to remember formula from the sites domain name) in an already strong base password, I can use dozens of unique passwords without any special environment.


There are several options which use remotely-saved, decrypted-in-browser password safes. You're still vulnerable to keyboard logging if you're using random systems/hardware. Accessing secure services you care about from multiple locations is not a good security practice.

If you carry a smartphone, there are several password safes available for these as well.

Clipperz (web-based) and KeePassDroid work for me.

On my primary systems, a simple text-based database GPG encrypted.

Your password template may or may not be good practice. From random cracking, probably safe. If someone takes a particular interest in you and has prior knowledge of your scheme and several revealed examples, other passwords may become discoverable.


LastPass syncs across computers, can be opened in a private browser (decryption in the browser) and they have mobile apps.


It really needs to become the default at account creation.

I'm not sure how best to make it part of the site sign up process on the server side. The other hassle is you now really want to also link mobile platforms, so unless you're all apple, it's kind of tricky. You could possibly do a web-based password manager instead of something local (there are a few options), or if you're all-apple, 1Password (which doesn't even work perfectly on iOS).

The other way is to just move everyone to Facebook Connect or other third-party identity services, but there are a bunch of problems with that. If there were a single-signon provider which were only single signon, vs. profiles and all the other stuff, it would be more acceptable, but even then, just linkability of all your accounts is a security and privacy compromise, as well as being a single point of attack and failure.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: