In several of the latest incidents what was stolen were the hashed versions= of the passwords. The mistake is MANY sites still do not salt their hashed passwords. That me= ans that easily available rainbow tables will reveal the vast majority of h= ashed passwords, hence the seriousness of the situation. It boggles my mind that so many big sites don't salt their hashed passwords= .. It's almost a trivial additional, and can be made even AFTER the password= s were hashed, meaning any site out there not currently applying salt can m= ake a few changes to their password routines and upgrade to salted hashes w= ithout ANY involvement of their customers. Fact is many big sites just don't care enough. It'll take more and more of = these breaches to force sites to beef up how they do things. TTYL On 2013-02-02, at 7:40 AM, Ross McMillan wrote: > I read today of another password hacker who has managed to get 1000's of > Twitter passwords. >=20 > This perplexes me. >=20 > One would assume that the people programming these portals are wise enoug= h > not to store the passwords in plain text. But I would have thought a > better approach would be not to store the password itself - whether in > plain text or encrypted - but to store some sort of digest. >=20 > If they steal a digest of your password such as a It must be much harder > for them to crack. I assume that when a news item talks about 100's of > passwords being compromised, they mean 100's of passwords were stolen, an= d > able to be read by the hacker. >=20 > Does anybody know any anecdotal evidence of how these big players who hav= e > been compromised are storing their passwords? >=20 > Incidentally this > articlegives a > good run-down of hashed password techniques, including (Python) > code examples.. > --=20 > http://www.piclist.com PIC/SX FAQ & list archive > View/change your membership options at > http://mailman.mit.edu/mailman/listinfo/piclist --=20 http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .