nick
Veteran Member
Posts: 766
|
Post by nick on Dec 15, 2016 14:56:02 GMT
|
|
Alco RS11
Veteran Member
my old account is back.
Posts: 3,079
| Likes: 1,034
IGN: Alco_Rs11
|
Post by Alco RS11 on Dec 15, 2016 16:22:40 GMT
Yahoo has always been shit. After all these breaches, I don't get why people still use this without even caring that they're at risk because these breaches happen so often...
|
|
Geek
Veteran Member
Posts: 1,372
| Likes: 1,104
|
Post by Geek on Dec 15, 2016 21:27:19 GMT
I'd have thought that Yahoo would have been more careful after the previous breach but apparently they haven't - disappointing.
|
|
StevenNL2000
Forum Admin
Posts: 6,415
| Likes: 6,936
IGN: StevenNL2000
Timezone: UTC+01:00
Member is Staff. Need immediate assistance? Send a PM
|
Post by StevenNL2000 on Dec 15, 2016 21:54:28 GMT
I'd have thought that Yahoo would have been more careful after the previous breach but apparently they haven't - disappointing. This breach is actually older than the one from last time; they were both simply only discovered now and in a different order than they occured.
|
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on Dec 15, 2016 21:58:55 GMT
Informed all family members with Yahoo accounts.
|
|
Hockey
Club 4000 Member
Posts: 4,537
|
Post by Hockey on Dec 15, 2016 22:10:37 GMT
Holy shit just encrypt passwords instead of hashing them Lol go home ur drunk This is another reason that I'd like to see S/MIME and PGP implemented in more email clients.
|
|
|
Post by beetlefights on Dec 16, 2016 1:40:15 GMT
my yahoo was amazingly not breached
|
|
|
Post by Polaris Seltzeris on Dec 16, 2016 2:46:41 GMT
Holy shit just encrypt passwords instead of hashing them Lol go home ur drunk This is another reason that I'd like to see S/MIME and PGP implemented in more email clients. Actually if more people thought out of the box about security they'd realize it makes sense. The usual implementation of password encryption means the private key in the database or in the login code which violates the entire purpose of encrypting the passwords, it just makes an account jacker take an extra 5 seconds to decrypt the passwords with the key to be able to access an account. But the way I propose is if there was a private key for each password instead of every password in the database having a private key, and each user would have their private key. This would basically require a two factor authentication system where the password would be meaningless unless you also inputted the private key, and as long as secure encryption like AES-CBC-256 is being used, it's impossible to crack the passwords. This is pretty much how Protonmail does it.
|
|
Hockey
Club 4000 Member
Posts: 4,537
|
Post by Hockey on Dec 16, 2016 3:21:04 GMT
Lol go home ur drunk This is another reason that I'd like to see S/MIME and PGP implemented in more email clients. Actually if more people thought out of the box about security they'd realize it makes sense. The usual implementation of password encryption means the private key in the database or in the login code which violates the entire purpose of encrypting the passwords, it just makes an account jacker take an extra 5 seconds to decrypt the passwords with the key to be able to access an account. But the way I propose is if there was a private key for each password instead of every password in the database having a private key, and each user would have their private key. This would basically require a two factor authentication system where the password would be meaningless unless you also inputted the private key, and as long as secure encryption like AES-CBC-256 is being used, it's impossible to crack the passwords. This is pretty much how Protonmail does it. Using public and private key authentication would be fine for 2-factor-authentication, but there's a reason that the industry uses hashing + salting for passwords. It's cheap, and it's secure.
|
|
|
Post by Polaris Seltzeris on Dec 16, 2016 3:30:51 GMT
Actually if more people thought out of the box about security they'd realize it makes sense. The usual implementation of password encryption means the private key in the database or in the login code which violates the entire purpose of encrypting the passwords, it just makes an account jacker take an extra 5 seconds to decrypt the passwords with the key to be able to access an account. But the way I propose is if there was a private key for each password instead of every password in the database having a private key, and each user would have their private key. This would basically require a two factor authentication system where the password would be meaningless unless you also inputted the private key, and as long as secure encryption like AES-CBC-256 is being used, it's impossible to crack the passwords. This is pretty much how Protonmail does it. Using public and private key authentication would be fine for 2-factor-authentication, but there's a reason that the industry uses hashing + salting for passwords. It's cheap, and it's secure. Wtf does 'cheap' mean are you implying encryption is an industry that costs money? That makes no sense... Also I have no idea what a public key has to do with this, what you're talking about is an asymmetric encryption login system which is unnecessary because it can be accomplished with AES, although then again I could see how that could be more secure, but that would be three factor authentication, and at that point you'd have four authentication factors if the person also has phone verification enabled, and that quickly gets out of hand. While hashing is great and all and I have yet to see someone break or crack SHA3-512, it will happen as technology advances and we get onto quantum computing. AES on the other hand, is an encryption algorithm and not designed to be quickly replaced like hash algorithms. What PHP has done is irresponsible, not properly implementing security. Querying should just be removed, SQL injection has gone out of hand and everyday more and more websites get breached because PHP developers don't have security in their minds at all, they just want a damn website. PHP recommends bcrypt by default which is getting more and more easy to crack every day, hell if you're not gonna have SHA3-512 as the default at least have scrypt be the default. AES with our current technology would take until the sun goes black to crack even one encrypted message, but the breaking of AES is coming and we have no clue if RSA is broken or not, and PGP has its problems too, so eventually someone will create a new algorithm and hopefully people will start using the keyed authentication concept when that happens.
|
|
_Windows
Club 4000 Member
Posts: 7,881
| Likes: 9,611
|
Post by _Windows on Dec 17, 2016 0:32:22 GMT
|
|
|
Post by Polaris Seltzeris on Dec 17, 2016 1:59:52 GMT
Believe me, if it was a big deal Adobe wouldn't have done it (and failed because they kept the private key in their login API)
|
|
Deleted
Deleted Member
Posts: 0
|
Post by Deleted on Dec 17, 2016 22:26:32 GMT
i use google
|
|
je isnt hapi
Veteran Member
i passed physics
Posts: 1,166
| Likes: 1,552
|
Post by je isnt hapi on Dec 19, 2016 23:15:42 GMT
Really? Who the fuck uses that shit anyways xD. It's 2016, not fucking 1995. a seventh of the world
|
|
Qibb
Full Member
True Disclosure
Posts: 129
| Likes: 42
|
Post by Qibb on Dec 20, 2016 22:12:40 GMT
Unfortunately, my father uses Yahoo. My uncle informed him about this breach. I think he'll start using Google now.
|
|