[SkyMarshal]

Fwiw, let me share some of the less predictable consequences of what could happen if your pwd database is hacked, and why it's important to use bcrypt, PBKDF2, or scrypt to secure your users passwords. (http://codahale.com/how-to-safely-store-a-password/)

I was one of the folks whose email and password were compromised in the recent MtGox.com bitcoin exchange attack. Until then I had been using a three-tier password system, consisting of three passwords of increasing difficulty, used for sites of increasing levels of importance.

My bank/card accounts, email accounts, and any account that stored bank/card info (Paypal, Square) got the strongest password. Sites that were part of my online identity or similarly important, but did not store financial data, got the next strongest password (Twitter, Facebook). Finally, spam sites I didn't care about but needed a login for some reason got the third password.

Well, the MtGox hackers got my middle-tier password and the associated email address. Shortly afterward they also got my Twitter account, which used the same for login. Fortunately they didn't take the time to change my email address, and I was able to get it back with a password reset email.

And a few days later I tried to login to Amazon and found they had changed the password there too. I got it back the same way, pwd reset, logged into AWS and found my EC2 test instances had all been terminated and all the work I had been doing there gone.

Now I'm sitting here wondering what's next, as I can't remember all the sites I used that email/pwd combo on. But I'll never make that mistake again, and am now evaluating password managers like Lastpass, Keepass, Passpack, and Clipperz for storing unique, strong passwords for every site I use.

I'll also never use MtGox again, and have discovered a newfound wariness of all websites' security practices. One report like this is enough to make me not only file away the name of the site, but also the people who built it, as unreliable.

My point here is that, if your database gets pwned and distributed out to the black market, there's a realistic chance your users will be harmed in ways you haven't foreseen, on other sites not related to yours, and will remember and blame you for it indefinitely.

Given that most people have lots of sites they log into, and that most can't or won't remember separate passwords for them all, you can assume a good portion of your users reuses passwords.

The potential downside of those reused pwd's getting hacked via your site and put into the underground identity-theft rings and whatnot, far outweighs whatever user-experience upside you may perceive.

[ydm]

I agree with you wholeheartedly. Unfortunately, there will always be a few services that will store passwords in plain text.

Would unique email addresses for each service have helped your situation at all?

For example:

Facebook email: uniqueemail1@gmail.com (forwards to your real email) Facebook password: password1

Hover email: uniqueemail2@gmail.com (forwards to your real email) Hover password: password1

Bank email: uniqueemail3@gmail.com (forwards to your real email) Bank password: password1

If any of those services get hacked (and the passwords are stored in plain text) then there's nothing connecting those accounts to each other since the email addresses are all different.

It's the system I use (along with 3 tiers of passwords not just 'password1' as used in the above example).

[s3b]

But then even if you remember the password, you'd still need to remember the right unique email id for each service.

[yuhong]

Not to mention it is security by obscurity.

[Flenser]

I had been using a three-tier password system, consisting of three passwords of increasing difficulty, used for sites of increasing levels of importance.

Now I'm sitting here wondering what's next, as I can't remember all the sites I used that email/pwd combo on

For my banking password I have a base password that I always add something to for each site in a way that I can remember without having to write something down. The idea being that although it might be obvious to any human looking at the password what I've done it's far more likely that attackers will be automating checking passwords on different sites and the program will just see my password failing on all other sites and ignore it.

[yuhong]

>Now I'm sitting here wondering what's next, as I can't remember all the sites I used that email/pwd combo on. LastPass lets you import your passwords from your browser.

[bluedanieru]

I also had my details leaks via the MtGox.com hack. Fortunately I have been using a password manager for years (Keepass) and don't share passwords site-to-site. So I don't fuck around with security, or try not to.

But, you do. It's hindsight, sure, but if you read HN you definitely know better, yet you did it anyway. You've learned your lesson, and hopefully the next time a service you frequent is hacked your exposure will be minimal. But it took something like this for that to happen. I'm thinking a lot of sites have had shitty security for years like Hover et al and are only now, with all the publicity surrounding recent breaches of security, beginning to realize they can't get away with it for much longer.

So just like anyone can cut you some slack, I can cut organizations some slack, for now, especially in cases like this where it looks like someone without the requisite technical expertise was given too much control over technical decisions (i.e. not the engineers' fault). That kind of shit happens all the time even if it ideally shouldn't. But, things have changed and security concerns have gained enough publicity that even clueless middle managers should have some inkling that it's important, so IMVHO if you haven't gotten your shit together security-wise as an organization by the end of this year, you're probably inept enough that I shouldn't be doing business with you.

In the meantime I'll practice the security diligence I preach.