Under the standards put forward by the FIDO Alliance, the device a person is using to log in to an account would play a more central role in authentication. That would make it impossible to compromise accounts by stealing passwords, as hackers did in order to break into Twitter this month and LinkedIn last year.
Requiring a person to offer both a password and a physically linked secondary proof is an approach known as “two-factor authentication.”
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.
I haven’t tried this yet. Using something like this requires a complete paradigm shift as to how one uses the web. I currently have a password system in my head that has worked for quite some time. It will be interesting how useful this is in real life use cases. Having the ability to have some other entity remember usernames and passwords can lead to very secure authentication. There will be no way to authenticate however if one does not have contact to this password database which could be a problem.
In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.
via Update: New 25 GPU Monster Devours Passwords In Seconds | The Security Ledger.
“It is certainly unfortunate this information was leaked out, and who knows who got it before it got fixed,” Dragusin wrote. Elsewhere in the post he said: “If leaving an FTP directory containing 100GB worth of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome.”
via Trade group exposes 100,000 passwords for Google, Apple engineers | Ars Technica.
Update: An IEEE spokeswoman emailed the following statement: “IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved.
Of all groups that have membership websites which store passwords, IEEE would be the last on a list I would suspect to have something like this happen.
Let me walk through the process of password protection and explain why unsalted passwords are only infinitesimally better than plaintext passwords:
via LinkedIn Password Leak: Salt Their Hide – ACM Queue.
Conclusion
LinkedIn is learning fast right now, according to their damage control missives, they have now implemented salting and “better hashing.” But we have yet to find out why nobody objected to them protecting 150+ million user passwords with 1970s methods.
And everybody else should take notice too: Even if you use md5crypt, you should upgrade your password scrambling algorithm. As a rule of thumb: If it does not take a full second to calculate the password hash, it is too weak.