Formspring Hacked - 420,000 Password Hashes Leaked

wiredmikey writes with news of yet another business suffering a data breach. From the article: "Formspring, the Social Q&A portal ..., admitted to being breached on Tuesday. The compromise led to the loss of 420,000 passwords, forcing the site to reset all member passwords. Mirroring the recent LinkedIn breach, Formspring said that it was alerted to a forum post that contained 420,000 password hashes. Engineers shutdown the service and confirmed the passwords were indeed theirs. In less than a day, an investigation revealed that the attacker(s) had 'broken into one of our development servers and was able to use that access to extract account information from a production database' .... There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident."

Re:Yet another reason to use a variety of password

[Theophany]

Whilst I agree with all of the above, I think the *real* takeaway from this should be "don't use shitty websites like Formspring, for fuck's sake."

Re:Yet another reason to use a variety of password

[kav2k]

So, if I understand the idea correctly, once the keylogger has the base password, all derived passwords are screwed? It protects against hash/unencrypted password leaks, but makes the base password too valuable.

Re:Yet another reason to use a variety of password

[Calos]

Yep, I love pwdhash. It's portable without worrying about leaving a password database on a thumbdrive or in the cloud, it can generate long, site-unique passwords while using the same base password. Pwdhash is pretty nice in that it is sensitive to stupid websites that don't allow special characters, too - if you put a special in the password you supply, it very likely (but not necessarily) include one in the password it generates. If you don't put specials in the user-supplied portion, the output is just alphanumeric. Of course, there are still the stupid websites that want passwords to be 12 characters or less, and/or have to start with a letter, and/or other asinine rules. A downside though is that there is a maximum length for the passwords pwdhash generates, 22 chars if I remember correctly, but at this point, I don't think that's really an issue.

Still don't recommend actually using the same base password for everything, of course.

The other cool thing about pwdhash (and potentially, similar services too) is that they don't have to be used on websites. You can use it to generate passwords for, say, your wireless. Do something like the SSID in place of the website, then supply your part of the password.

Pwdhash [pwdhash.com]

Re:The immediate question:

[Gavin Scott]

The linked SecurityWeek articles includes the quote:

“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security."

Which suggests that they were indeed salting the passwords. Assuming this was actually done, and done in a reasonable manner, then in theory there should actually be little or no risk from this breach I would think. But then I don't know why they would feel the need to immediately replace their hashing mechanism...

G.