"And one amusing detail – although eHarmony implores its users to use strong passwords including both upper and lower case letters, it saves the passwords in all upper case"<p>This is truly beautiful - made my day :)
Unsurprising that >95% of the password hashes have been broken. I remember being annoyed when I signed up for LinkedIn (just checked my tweet history - it was 2010/06/10) because they were only allowing 16 characters in the password field.<p>EDIT: Whoops, guess I should have done some napkin math before claiming that there are rainbow tables that cover that area. /me slaps wrist
<i>Last month Last.fm admitted to having received several reports of spamming involving user data.</i><p>Over the last 6--9 months I have definitely noticed an uptick in the random "connection" requests I get on LinkedIn. I don't know if this is because their userbase has grown and more people are just shotgunning connection requests, or if these represent first steps at an attempted social engineering attack via hacked accounts on which I appear in the "people you might know."<p>So far none of these have been from people I actually know even remotely, so I'm guessing it's just simple spam (and I report it as such).
I find it really incredible that this companies were so careless. Really. I know that security practices are rare to come by, but come on! LinkedIn, eHarmony and last.fm! These are some of the biggest websites.
Unsalted hashes. Wow. What a bunch of amateurs.<p>Also, 10 internet points says at least one other major website will fall too within 2 weeks. Someone has found a new exploit & is trying various sites & collecting hashes.
"The API was developed 9 years ago, and appears not to have been updated since."<p>Last.fm could have updated this, except it would have meant making all their users do something.
What do people think about outsourcing your authentication to someone else?<p>Full Disclosure: I'm currently working on a brandable authentication host (<a href="http://www.authic.com" rel="nofollow">http://www.authic.com</a>) that will outsource the pain of storing your password hashes securly and provide your web app with slick a user account UX.
Does the number of passwords in the hashed list matter in terms of how easy or hard they will be to crack? Does this have implications for a rainbow table-type attack?