[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
I've used unique passwords for a while. The scammers saying "I have your password" that I've seen recently got it from the Adobe hack who were storing passwords in the clear in 2013 (sigh), including their Echosign product (which is what I used to sign a document). So now you know how reliable an Echosign signature was in 2013. Some of the others are using passwords from before I started using fully unique passwords, which means they are truly ancient and you really must start using a password manager if all your current passwords are not yet unique. About the only thing we can be sure of is they didn't get it the way they described. If you run a service and must store user passwords, and you are writing your own authentication (tip, try very hard no to do this, as you will almost certainly do it wrongly), use a scheme that repeatedly hashes the password whilst mixing in a random salt (such as Scrypt, or Bcrypt), then have the scheme audited by someone who knows what they are doing. I'm also a fan of schemes where you don't store a password for each user, especially a user chosen password. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq