Kickstarter: We Were Hacked, User Information Exposed

For precaution i liked Uber give us information about this .

http://mashable.com/2014/02/15/kickstarter-hacker-breach/
http://time.com/7807/kickstarter-hackers-password-change/

Accessed information included usernames, email addresses, mailing addresses, phone numbers and encrypted passwords.

Just heard from a Portuguese magazine this subject.
I do not know why that is not talked about or warned about this,or iff was where is the post here i want to read about it?

We should be concerned with?
Can we trust you our personal data?

Showld we change all ower personal data for precaution?

https://forums.uberent.com/threads/for-all-backers-kickstarter-security-breach.56537/

Ty didnt new ....
How i change password?

Didnt know that Uber was responsible for the Kickstarter site....

Its for the early backers who made donations ect.

???

You now at least that Uber choose crowd-funding site Kickstarter for their financial backing?

lol Nice joke

You can't be serious right? You think Uber and Kickstarter are "one" company?

A cursory glance at the search will tell you it is on the forums, but you knew that.

Of course they are. Both subsidiaries of Abstergo Inc.

Seriously, tin-foil hat people are hilarious.

No need to be trolls people.

To op: Kickstarter was hacked, not uber. If you have an account at the kickstarter site, you should change your kickstarter accounts password. Otherwise there's no cause for distress. Your uber account is safe.

Its a bit annoying, i have so many accounts so many places, and it seems like its every month some place is hacked. Its not easy to come up with high strenght passwords, but also remember them, before i get the chance, said place is always hacked, and i have to change it again.

Ill have to have a list somewhere with my passwords else i cant remember them.

Its not me that think that, its me that think you think that!

Eh, I don't really agree with that comic. If someone's trying to find your password, there's a good chance they'll be trying common words and not just brute-force. In which case it's actually rather insecure.
He's assuming 1 bit of entropy per character, which is conservative over the entire English language IIRC, but for common words I doubt there's that much entropy.

Many sites also force you to use capitals and numbers in your password, and/or limit password length.
Plus I'd be even worse at remembering something like horse-battery-whatever.

Edit: typo

The entire point is that because you are forced to use so many specific things that it's easier to figure it out.

I'd go on, but I'd just be repeating the comic so....

Mike

If someone really wants your password, they don't use hacking protocols, they'll break into your house and look for your list of passwords or interrogate you. It's better to make an easy to remember longish password so YOU don't have to hack into your accounts.

I was once on a security lecture where the teacher was one of the crypted passwords school and he held all of his passwords on a memory stick. Yeah, that's secure.

No, it doesn't make it easier to figure out.
Also, that last part of my post wasn't my main point. It was just pointing out that the advice is often futile for the user, even if it were good advice.

Please, do go on, because It's evident the comic is targeted at the user, especially in the context of being posted in this thread.

You don't understand how password cracking works.

If they are trying "common words", they are bruteforcing. By definition.

There are 94 characters on a full English keyboard.
(Post edit - Values corrected)
94^8 = 6.10exp(15)
26^9=5.43exp(12) and 26^12=9.5428957e+16

A significantly longer password is better. Longer password is more significant to the bruteforcing CPU than different characters. Essentially, the argument is that the exp(n) overpowers the function more than the initial constant.

And there are many more 16 character phrases in English than 16 character words. Because the number of 16 character phrases includes the 16 character word.

In addition, if you're forcing the user to use at least one letter and at least one number, you've decreased the number of available passwords. It's not 62^(length of password). It's (62^(length of password) - (52^length of password) - (10^length of password)).

It makes it substantially easier for a CPU to brute force it. You've just reduced the number of possible permutations.

Take an 8 letter password - that has 75% of the permutations that it could have. It does make it easier to bruteforce.

I don't always totally get some of his comics, but so many of them are utter genius.

You got the numbers wrong:

94^8 = 6.10exp(15)
26^9 = 5.43exp(12)

And he probably meant bruteforcing as in 'trying all different character combinitions in sequence'. Trying all common words is still relying of brute force, but the difference is significant.

How many different words does your average native speaker know?

According to wikipedia:
"A 1995 study shows that junior-high students would be able to recognize the meanings of about 10,000–12,000 words, whereas for college students this number grows up to about 12,000–17,000 and for elderly adults up to about 17,000–21,000 or more."

But how many different words would most people come up with on the spot, without putting too much thought into it, or referring to a dictionary? No idea, but I guess 5000 would be a generous estimate. So if it was common practice to use a combination of 4 common words as a password, the hacker could just try 5000 most common words:

5000^4 = 6.2exp(14)

I'm not saying it's a bad idea, but the advantage is not as obvious as one might think.