[ SECRET POST #2841 ]

[case]

⌈ Secret Post #2841 ⌋

Warning: Some secrets are NOT worksafe and may contain SPOILERS.

01.


__________________________________________________



02.


__________________________________________________



03.


__________________________________________________



04.


__________________________________________________



05.


__________________________________________________



06.


__________________________________________________



07.


__________________________________________________



08.


__________________________________________________



09.

















Notes:

Secrets Left to Post: 02 pages, 039 secrets from Secret Submission Post #406.
Secrets Not Posted: [ 1 - broken links ], [ 0 - not!secrets ], [ 0 - not!fandom ], [ 0 - too big ], [ 0 - repeat ].
Current Secret Submissions Post: here.
Suggestions, comments, and concerns should go here.

Comments

[kippi]

But most sites will choke out brute forcing. And if they don't, I don't trust them to not lose the password in some other way. Also, a lot of sites aren't worth the effort. I wouldn't really care if I lost say, my Twitter or my Tumblr. But I would care if I lost my Paypal or my email address.

[cbrachyrhynchos]

But most sites will choke out brute forcing.

The biggest data breaches of the last five years have involved the publication of entire password databases through a backdoor: Adobe, Gawker, Sony PSN, Microsoft, Linkedin, etc., etc.. Once the database is made public, crackers can run parallel brute-force attacks. (Heck, AT&T just revealed that a disgruntled employee walked out the door with a bunch of information.) Front-door timeouts are meaningless as of five years ago. At this point, you shouldn't trust any site not to lose their password database.

I wouldn't really care if I lost say, my Twitter or my Tumblr. But I would care if I lost my Paypal or my email address.

Unless you reuse passwords, which most people do, including a Gawker employee who used the same password for commenting and site administration.

[kippi]

At that point, does it really matter? You've already lost. Protecting against that was never your job, either. It rested on the shoulders of the site you were signed up at.

The fact that I give a shit about my email is why is has a decently complex and unique password, and the fact that I don't give a shit about my tumblr is why the password isn't that complex and is shared across a couple sites I also care equally as much about. That's what I meant, unless you use a password manager don't sweat having difficult passwords for shit that doesn't personally matter to you. Of course with a password manager you can just use unique random 30 character passwords for everything from your random virusy pornsites to your bank account, but password managers make me jumpy.

[cbrachyrhynchos]

At that point, does it really matter? You've already lost. Protecting against that was never your job, either. It rested on the shoulders of the site you were signed up at.

Yes, because password databases (assuming that the administrator is not completely incompetent) are obfuscated using a one-way cryptographic function. "pikachu" will fall in seconds to a dictionary attack or a bit longer to alphabetic brute force (7 characters). A randomly generated password like "VxfrFAH0pPqU4t" cannot be discovered via dictionary attacks and is unlikely to be brute-forced.

Now of course if you don't care, you don't care. But the use of a password safe is much less of a security risk than trusting a site with a weak password. All of the software I'm familiar with uses stronger functions that make them more difficult to crack than those used by most web sites. And since LastPass takes seconds to install and demands less time to login than trying to remember exactly which password I used for a service, there are few usability issues.