TE
科技回声
首页24小时热榜最新最佳问答展示工作
GitHubTwitter
首页

科技回声

基于 Next.js 构建的科技新闻平台,提供全球科技新闻和讨论内容。

GitHubTwitter

首页

首页最新最佳问答展示工作

资源链接

HackerNews API原版 HackerNewsNext.js

© 2025 科技回声. 版权所有。

RockYou.com database breached, 32 million unencrypted passwords obtained

31 点作者 freejoe76超过 15 年前

15 条评论

ivankirigin超过 15 年前
<p><pre><code> Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure </code></pre> No you don't
bd超过 15 年前
Here is hacker's blog (hosted at PirateBay's blogging platform):<p><a href="http://igigi.baywords.com/" rel="nofollow">http://igigi.baywords.com/</a><p>He seems to be on a crusade against bad security practices - RockYou was just one out of many sites he hacked (other sites are mostly Czech and Slovak).<p>Here in Slovakia, it's almost weekly media event when he hacks yet another popular local site (mobile phone operator, insurance company, no.1 portal, etc).<p>He also likes to call bullshit on companies PR nonsense released in aftermath.
评论 #1035721 未加载
donw超过 15 年前
I know this is old, but in this day and age, it's surprising how many companies store plaintext passwords.<p>Pandora Radio, for instance.
评论 #1035467 未加载
kevinholesh超过 15 年前
The breach definitely sounds illegal, but why the hell were they storing unencrypted passwords in the first place?<p>When I first learned about databases, that is the very first thing I learned never to do.
评论 #1035235 未加载
mrduncan超过 15 年前
<i>We are sorry for the inconvenience this illegal intrusion onto the RockYou system has caused our users. We will continue to advise our users of any information that would help them.</i><p>To me, this is a textbook case of a non-apology apology. Allowing (unencrypted!) passwords to be stolen isn't inconvenient to users, it's a pain in the ass.
评论 #1035327 未加载
dschobel超过 15 年前
<i>one or more individuals illegally breached one of our databases</i><p>I love the fact that they mention multiple times that it was an illegal breach as if that diminishes their culpability.
mattmaroon超过 15 年前
I love how they follow "Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure." with a missive about how they don't follow the same security standards that every web app has used for 10 years. Their legacy system is presumably not older than their company, which has not been around since before even hobbyist web developers like myself learned not to store passwords in plain text.<p>Next we're going to find out that their system accepts the username "Delete from users WHERE"...
rmorrison超过 15 年前
I know this is beating a dead horse, but encrypting your user's passwords is one of the most important things you should be doing. Failing to do so shows a complete lack of respect for your users, and demonstrates that your site/service is probably not worth using.<p>There should be a list of companies/sites that don't encrypt passwords, so we know what services to avoid. That way, next time you use the Forgot Your Password feature and they email you your plaintext password, you can add them to the list to warn others.
评论 #1035513 未加载
sshconnection超过 15 年前
From: sshconnection Date: Wed, Jan 6, 2010 at 4:59 PM Subject: Engineering Lead for Social Applications To: dev-jobs@rockyou.com<p>Hi, I'm interested in your opening for Engineering Lead for Social Applications.<p>I made a PHP page as a high school project that let me log in and create blog posts. I required an admin account to log into the blog to write articles. My user table (I used MySQL as a database backend), had four columns: id, email, username, password. It sounds very simple, but please let me tell you some of the special technology I used for the password.<p>If someone used a password of "password", I would do something like this:<p>$plaintext = "password";<p>Then, I would use a function called sha1 to get a a new value of the password like this: $salt = sha1(md5($plaintext));<p>Then, I would get the final value to store as the password like so: $password = $md5($salt.$plaintext);<p>This way, the password is hidden behind what people call a hashing algorithm. That keeps people from figuring out the original password, even if they somehow got on my computer!<p>I know I have no professional programming experience, but I think that I could be a very valuable member of your team. If you're interested, please let me know!<p>-Scott
pxlpshr超过 15 年前
isn't this like a month or two old?
评论 #1035213 未加载
评论 #1035209 未加载
yomamma超过 15 年前
I wonder if this would be considered a "movie plot threat".<p><a href="http://news.ycombinator.com/item?id=815264" rel="nofollow">http://news.ycombinator.com/item?id=815264</a>
mattwdelong超过 15 年前
<i>I am sorry we lost 32 million passwords, we will encrypt them so next time we lose them its not so bad</i> - RockYou
rleisti超过 15 年前
You can hope that they encrypt your password; but never trust that they do. Use your own password database.
dgreensp超过 15 年前
Stay classy RockYou.
bretthoerner超过 15 年前
/hugs 1Password