tag:blogger.com,1999:blog-8400370148915075091.post3737993467064647950..comments2023-12-12T18:59:45.550+01:00Comments on Security Nirvana: Yet another opinion on the RockYou casesecuritynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-8400370148915075091.post-49384051759957698242010-01-25T03:15:42.482+01:002010-01-25T03:15:42.482+01:00Hey, thanks for the shout-out. I just want to add ...Hey, thanks for the shout-out. I just want to add I second everything in your post. In particular, I've really been struggling with making sense of the list, since as you correctly pointed out, there are a lot of unknowns with it.<br /><br />One thing that has been particularity bothering me though is I have a hard time figuring out how Rockyou will store all of the passwords as hashes. They aren't like a normal website. Instead, many of their programs are aggregators of different social networking sites. Aka they have to be able to log into your Facebook/Myspace/Friendster accounts to access all of your user information. To do that, they need the raw passwords, not the password hashes. Perhaps they can work with Facebook/Myspace/etc so they won't require the user's password but that opens up a whole new slew of possible security flaws. It's a tough question.Matt Weirhttps://www.blogger.com/profile/16008062842047893999noreply@blogger.com