Comments on: Monster.com breached

By: Steve

Steve — Fri, 27 Feb 2009 03:08:27 +0000

Browser plug-ins are indeed another alternative, although, again, if you’re owned (even user-mode owned), as long as the bad guy can inject code, he can steal all of your passwords from that plug-in. But, with 41% of people using the same password on every site, this is definitely better than nothing.

By: Steve

Steve — Fri, 27 Feb 2009 03:06:12 +0000

Interesting; I was told (and read) that they did. In any case, the larger point is that if the plaintext you’re securing is from a small number of possibilities (i.e. 1 billion in this case), there’s only so much crypto can do for you.

For what it’s worth, it’s worth pointing out that my one-way hash argument probably applies only to the password, not SSN’s. I re-read what I wrote and I was thinking more of passwords at the time – SSN’s generally need to be able to be decrypted to be worth storing in the first place. Anyway, again, the same argument about domain size applies.

By: slow

slow — Thu, 26 Feb 2009 18:43:57 +0000

Steve- Monster doesn’t store SSN, the only thing they could have possibly f’ed up is the password hashing.

By: Van

Van — Thu, 26 Feb 2009 15:31:36 +0000

Good article. Regarding the insecurity of a single password for all online accounts … this is a great point. OpenID is one option, but it requires that the site uses OpenID, many which do not. Another option is one of the free browser plugins available that can achieve the same result all all sites you use. The PasswordMaker plugin for Firefox is a good example of how to avoid this sort of issue.