As I'm currently in the middle of a research project on password security, I downloaded the passwords and had a look. I'm beginning to believe that you should just assume that if your site does not have any password creation rules, it will be hacked soon.<p>The specialforces password dataset contains passwords like "post"-- four lowercase letters found in any English dictionary, and even matches part of the email (@post.ca.gov) for the user. If a site lets you choose this as your password <i>do not give your credit card info to that site</i>, simple as that. A site that is built by someone who is so unaware of the basics of password security is likely following other insecure practices as well, like storing your data in plaintext and not properly sanitizing user input.<p>All the major recent attacks (phpbb, singles.org, rockyou, battlefield heroes beta, faithwriters, and now specialforces) have had this same glaring issue in common. In reality, if these sites are letting users choose any password then for the majority of users you might as well just store them in plaintext. Most users (70-90%), if left to their own discretion will choose a 6 or 7 character password with all lowercase letters, meaning it will be trivial to crack even if it's hashed and salted.
I have found this is a useful service after every one of these lulz has happened: <a href="https://shouldichangemypassword.com/" rel="nofollow">https://shouldichangemypassword.com/</a>
Let's be honest here. Has <i>any</i> "Secured by X company" certification <i>ever</i> actually meant a damn thing? I swear I hear reports about sites like this getting broken into every week. Those banners are basically the equivalent of painting a target on your back.
While I find it's awesome that people like this bring these security issues to attention, at least leave the CC & password details out. Sure, you got them, whoopty-doo, we believe you. Still isn't moral to share them.
Former Soldier, the type that would have purchased things from sites like this before venturing overseas, and I'm highly annoyed by the childish nature of this hack.<p>Some of these products keep people alive, and it's juvenile to blame SpecialForces.com for pepper spray during a protest.<p>If they were really intending on improving the security of these websites, they wouldn't hand out the data. Sadly, I fear that the worst of this type of behavior has yet to come.