Back in May we were chatting about password managers.

I said it doesn't make a difference when companies give away millions of passwords. I was told I was naive and grossly unfair.

Now look.

JPMorgan Chase gave away 76 million. I know people who have that card.

Again, we could have a 256-character password, but it wouldn't matter. Chase handed over 76 million.

http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/?emc=edit_na_20141002&nlid=1451445

I agree... "Gave away", or "handed over" is a bit naive and unfair. No software system is bug free. There are many talented crooks working every day to break into any system that appears to have any value at all.

If you don't trust the technology, don't use it. That's my advice and it's probably worth what you paid for it!

Do remember that every time you hand someone a check, you just handed them you bank routing number and account number... guess that leaves cash... there are people who will kill for that(or less) also.

Its about time. I hope they do it to all others

My understanding in the Chase case is that no passwords or account numbers got taken. Still a big deal regardless.

Even if a username/password database were stolen, I think it's still worthwhile to not use "password" everywhere. I certainly hope no responsible institution stores user data unencrypted. It takes a lot more 'horsepower' to decrypt a 64 character random password using letters, number and symbols than it does to decrypt a 8 character word found in most cracker dictionaries. A bad guy who can decrypt 90% of a stolen password database in a week may not spend a few months hammering on remaining 10%.

I love how people are saying these databases should have no Internet access. How exactly does online banking work without access to this information? Yes, you can have separate networks, but at least one server has to have access to both networks in order to make online banking work.

It takes a lot more 'horsepower' to decrypt a 64 character random password using letters, number and symbols than it does to decrypt a 8 character word found in most cracker dictionaries.
Apparently it doesn't take much to decrypt a 55 character PW.
http://www.zdnet.com/password-breaker-successfully-tackles-55-character-sequences-7000019891/

By the way, it happened in July.

Apparently it doesn't take much to decrypt a 55 character PW.
http://www.zdnet.com/password-breaker-successfully-tackles-55-character-sequences-7000019891/

By the way, it happened in July.

We can only change what we have control of. Most of us have no control over the security of password databases. The only thing that I can think of to reduce the liklihood of a stolen password being used is to use a password manager so you only have to remember one somewhat complex password. Have two databases, one important which would likely be fairly small and one of less consequence. The important database would be stuff like banking, health related, insurance. Maybe Amazon & Paypal because they keep credit cards on file or are tied into bank accounts. Maybe change those passwords every 90 days or so. I wonder what the time typically is between a database being hacked and the stolen information being used?

Apparently it doesn't take much to decrypt a 55 character PW.
http://www.zdnet.com/password-breaker-successfully-tackles-55-character-sequences-7000019891/

By the way, it happened in July.The application (Hashcat) only works when the attacker actually has access to the hashed password it's trying to guess. Without that starting point, the Hashcat isn't as much of a threat as it sounds.

Creating multiple, difficult to guess login IDs is also a good idea.

Best I can tell is that a lot of this is based on things we have nothing to do with. If we used the best passwords available and the site we're logging into doesn't use the best practices, it's all meaningless.

On my Mac's, it has a password creation and storing tool. It creates passwords that are pure gibberish, with dashes, numbers, letters, etc. I couldn't remember one if I wrote it down. It works across devices, so if I create the account on my desktop, then use my laptop, phone, or tablet, it knows the password. I started using it not long ago and was quite pleased with never having to remember another password, then I went to a site that I thought should be fairly secure and it when I told it to generate a password for me, it did, and I submitted it, only to have the site reject the password for it's use of characters. End the end, I had to dumb it down and manually enter a password that I felt wasn't nearly as secure, which concerned me slightly.

I just have to wonder if you actually read the whole article you referenced. It clearly says that passwords were not part of the booty.

Saying they gave away anything is like saying you gave away your goods to the thief that picked the lock on your front door.

While I agree that some companies take a lax approach to security, I think most do not. It is not in their self interest to do so. The sad fact is that any system can be breached given enough talent and time.

Its about time. I hope they do it to all others

I guess I dont understand your point.

They claim that no info you couldn't find in the phone book was lost, and no accounts have been abused.
Why would they lie?

Even if a username/password database were stolen, I think it's still worthwhile to not use "password" everywhere. I certainly hope no responsible institution stores user data unencrypted. It takes a lot more 'horsepower' to decrypt a 64 character random password using letters, number and symbols than it does to decrypt a 8 character word found in most cracker dictionaries. A bad guy who can decrypt 90% of a stolen password database in a week may not spend a few months hammering on remaining 10%.

Right. And good luck remembering a 64 character random password, much less remembering multiple different such passwords. Contrary requirements. Something memorable versus something robust.

Question.

I am not computer literate at all. We try to have passwords on anything important, but there are a lot of places, like this forum, where I am giving away no info that cannot be found easily.

In that situation, does it really matter if I use a simple password?

Its about time. I hope they do it to all others

What does this mean? Who are they? What is the "it" you want done? Who are the "others" you want targeted?
If you want to say something controversial, be clear about what you mean.

Question.

I am not computer literate at all. We try to have passwords on anything important, but there are a lot of places, like this forum, where I am giving away no info that cannot be found easily.

In that situation, does it really matter if I use a simple password?

The only risk I see is if someone posted something inflammatory or threatening while posing as you.