[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Mon Sep 21 09:47:56 EDT 2015

On Sun, Sep 20, 2015 at 6:05 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

>
> Of course, that was pre-9/11, so who knows how things are now.
>

It is insanity that things have not changed.  Even the simplest
authentication for a social security number would be nice (a pin).  The
fact that the only thing that protects this number is that it is not known,
is horrid.  It is an archaic system.  Even locking your credit can only
take you so far.  Have you ever had your credit locked, or a phone number
(fraud alert) put on file for someone to call if something needs to be done
with your credit?  I once, somehow, had some type of fraud alert put on my
credit with a phone number to who knows where.  I did not do it, I do not
know who did.  They kept calling this random number to ask if I could
access/change my credit history.  It took a decent amount of effort to get
that number changed so they would call me.  I had to mail documents.  Only
then could I tell them to tell me who the heck put it on their in the first
place.

I only mention this because you mention "how things are now".  If they have
increased restrictions on getting a new number they have only increased the
profit in acquiring this number to a thief while also making the entire
system more insecure.  It is a joke to me that I have to connect via https,
answer security questions, receive a one time password, and then enter my
password to log into my bank account, but I just have to state my social
security number in so many cases to access so many other things.  It is the
default over the phone password for so many things.

Here is a quote from Equifax about credit freezing:  "If you choose to
place a security freeze on your credit file, be sure to plan ahead for all
of your credit applications. Under the laws of some states, it may take up
to three business days to process a request to temporarily lift a security
freeze. Additionally, you may not be able to request a temporary lift of a
security freeze during non-business hours or on weekends."

Holy hell?  We are stuck in the 50's here, plus we have to pay for it in
TIME and MONEY.

To be honest with you I always figured that most credit companies must make
money off identity theft by leaving a reason for higher interest rates.  I
also figure that companies like Equifax must love the attention that they
get and the feeling of being needed (and given money) when a SS number is
used for malicious purposes.

I figure the government just does not want to change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150921/13c1f994/attachment.html>