Nature security breach prompts password reset

Password re-use (@ Charles)

"So I ask this of the tech world. How can people surf securely, even to such places as banking sites, while having a bad memory?"

I dunno, a locally stored encrypted file with all your passwords stored in maybe? Only one (strong) password to remember, and your data is relatively safe (what are the odds of a physical security breach PLUS a cracking of you 256-bit AES encrypted file?)

The real risk.

Depends on whether the password hashes were salted or not. If we assume for a moment that this is the result of an SQL injection attack then it's likely that the attackers have the user's email and a hashed password. If the hashes were not salted then a good number of them will be retrievable in a short space of time using rainbow tables. As the article says, with this info the attackers will then be in a position to log in to more valuable accounts elsewhere, such as paypal, which also asks for email address + password.

RE: Risk?

A quick look at Nature.com reveals they use email addresses as user names, do those may well have been compromised as too.

It's not implausible that if a gang of would-be identity thieves were able to acquire a large number of username/password pairs for any site they would have some success logging into more sensitive sites by trying those pairs.

For that matter, anyone who legitimately has access to usernames and passwords (e.g. Nature) could do the same thing.

50+ Passwords

I'm a reasonably security paranoid person, and yet I still don't have 50 different passwords for the 50 different web sites I visit that require authentication. (OK, maybe there aren't 50 of them but there are certainly a lot.) I keep separate passwords for highly secure sites (banking, etc), but sites that aren't storing secure information for me don't get unique passwords. The survey would suggest that there are really folks out there that have a unique password for each and every podunk web site that requires authentication. Really? Are you out there? How on earth do you remember that many passwords?

Nonsense yet phonetic passwords here

So, I might make a a word such as k1prn@ts (pron kippernats) as a password, which i find makes them easily remember-able yet obscure enough to make them virtually immune to simple brute forcing or social engineering tricks.

+1 to Charles

Exactly Charles.

Bank sites and anything else that accesses money should use two-factor authentication. Making people generate obscure passwords and change them every 5 minutes is less secure, not more.

For a bunch of sites (like Nature), the password is securing their data, not mine. So they get a very simple password - if they try to force me out of this, chances are I won't use the site at all.

OK, my hand is up

Despite working in an environment which encourages good security practices I will happily admit to using common passwords across websites. My only saving grace is that I have three passwords of different complexity for 'normal' sites where sites such as ElReg get a low grade password, since when it comes right down to it I there is no risk to me in any data you may have kept about me, while sites where I have 'reward points' (frequent flyer/supermarket etc) get a higher complexity since the points have a value of sorts.

When it comes to online banking etc each site has it's own password of at least 10 characters plus one bank has given me a secureID type token generator. This brings the password total to about eight which is about as many as I want to try to remember since I don't want to cycle through them to find the right one.

Re: RE: Risk?

Nice one. So, courtesy of whoever purloined this lot in conjunction with the nice template reproduced here, I foresee a few mails going out to those addresses along the lines of:

"I regret to inform you that our Press Site...........<blah>......please reauthenticate your details at the following URL: http://moodyserver2.thieves.are.us."