A few months back, I registered on the WinAmp forums because I was experiencing some bugs with the music player. Just a few days ago, I found the following email in my inbox:
“Hello,
My name is Geno Yoham and I am the General Manager of Winamp. First, thank you for your support of Winamp. The Winamp Team is dedicated to providing you with the best possible media player experience so it gives us great pain to notify you that we have recently experienced a security breach of our user forums database.
We have confirmed that your email address was exposed as a result of this attack. We have not confirmed but must assume that other Winamp Forums user account detail, including your forums username, date of birth, time zone preference and encrypted paWinssword (not your clear text or unencrypted password) was exposed. The Winamp Forums are now secure, but because we value your privacy we would like to notify you of the incident and encourage you to immediately change your password as a precautionary measure. If you have used your Winamp forums password across other web sites, please change the password on those web sites as well.
We apologize for any inconvenience this has caused and want to assure you that we are taking steps to ensure that your information remains secure as a part of our ongoing commitment to protecting your privacy.
If you have any questions, please contact: support@winamp.com. We have also set up an FAQ atforums.winamp.com for answers to common questions you may have related to this incident.
Geno Yoham
Winamp”
Well, great. I remember registering on the forums with the same password I use for a good number of other sites on the net and I used my primary email address for the forums – and I’m sure many others did the same. Now a hacker has a full list of emails and associated encrypted passwords. By simply hashing generated passwords and seeing if they match any user’s encrypted password, the attacker could identify passwords, linked to emails, as well as the date of birth, and can gain access to many different email accounts and who knows what else. Discovering passwords is a lot easier when you have a list of thousands of potential accounts to crack, and I’m sure many used the same password to log-in to their email account. And if even they use a different password for their email, many sites, like facebook, use an email address as the username to log-in, which can lead to even more problems.
I guess this is just a reminder of how insecure the internet is and how vulnerable your information is online. Although it would be best to use different passwords for every registration on the internet, it may be too cumbersome. Fortunately there are a good number of programs that take can care of the problem for you. A great (and free) tool is roboform (http://www.roboform.com/), which acts as a secure password manager. It automatically generates strong passwords when you register for a website and remembers them so you don’t have to. It even securely backs up your passwords and can sync with your phone, other browsers, etc. As for your email, it would be good to have a dedicated spam email address or you can use temporary email accounts like mailinator.
In addition to Roboform (which, admittedly, I have not heard of until now), there is also another free tool out there–PwdHash–that you can use to protect yourself from damage as a result of this kind of leak. PwdHash by itself is actually just a standard algorithm that takes your custom password and the domain of the site you’re visiting (such as “rice.edu”) as inputs, and produces a unique hash that you can use as your password on the said site. Sure, it’s not entirely foolproof, but it at least adds another layer of protection around your password, and makes it practically impossible to use a rainbow table to decrypt your original password.
There are handy browser extensions for Firefox, Chrome, and I believe even beta extensions for IE and Opera, that make it essentially painless to use PwdHash. On the Chrome extension in particular, you just have to hit the F2 key while you’re on a password field and type your password normally; the extension traps the input and replaces your password with the hashed version before it gets sent out over the wire.
Of course, your true password is still vulnerable to social engineering attacks, and the hash can still be read by a man-in-the-middle attack. Even so, knowing that your stock “why-do-I-need-to-register-on-this-stupid-forum” password won’t be compromised through a breach of the stupid-forum server database is a plus.