Another case of password theft leaves commenters feeling hacked off

Inflame - hacking news
Could this be the next Die Hard plot?

Turns out it doesn't really matter how many uppercase letters, lowercase letters, numbers or words about horses you have in your internet passwords, as most of them have been hacked and stolen anyway.

News this week suggested that an amazing 1.2billion email addresses and passwords have been harvested by hacking group CyberVors, which poked insecure servers with a malware botnet (and perhaps bought in more stolen data from other hackers) resulting in the biggest data collection in the history of hacks.

If true, and not the exaggerations of anti-Russian NSA plants (more on that later), it means a significant percentage of the world's population now faces the prospect of someone else knowing their login details.

So it's time to change passwords again. And seeing as they're bound to be hacked, stolen, intercepted or guessed at some point in the future, we may as well all use 88888888 or qwertyuiop to save time logging in.

1Password to rule them all

On the Independent, reader DaveW started throwing around the F-word to describe people that don't adequately protect their special words and logins online, saying: "There are 100s of programs that protect passwords while on a user's computer, along with other software designed to protect one's computer, laptop, tablet, etc. Those that don't have them are fools."

The old pre-internet saying about a chain only being as strong as its weakest link was reinterpreted in response by Bornslippy, who replied with: "Unfortunately none of them will protect you if, for example, someone hacks into your email provider and steals your password from their database."

"Nothing is 100% in life, but that's not an excuse for doing nothing," DaveW replied, transforming from furious tech guru to motivational speaker and life coach in the space of a few hours.

Tool injection

On The Register, conversation turned to SQL security matters. We scrolled past that lot.

Reader Paul Crawford had something interesting to say about why spam and password hacking is still such a massive industry, though, asking of our so-called security services: "One could well ask what NSA/GCHQ has done to protect us. They should have known of such insecurities, so are either incompetent at their jobs (unlikely), view the protection of consumers against such scams as beneath them, or have such a warped paranoid world-view that maintaining hacking capabilities is more important than actually protecting us (most likely)."

A thought-provoking idea, bettered by Anonymous Coward who responded with: "Or one could also wonder what they have already protected us from that we don't know about? Most security is behind-the-scenes. In the days when Belfast was suffering from car bombs & similar incidents, the ones that went off were the ones that slipped through the net, a much larger number were stopped before they became a real problem. Of course those ones never made the BBC News. Security is a thankless task."

Reader Marketing Hack is on the side of the conspiracy theorists, suggesting: "Unfortunately, what we have learned from the Snowden leaks is that there is a good chance that the NSA/GCHQ knew about these vulnerabilities and didn't do anything about them, because it gives them an avenue to penetrate some of these corporations/websites when they want to."

Have a crack

The sheer size of the password sample has some serious ramifications for the future of all online security, according to Ars Technica reader Bluefinger, who posted: "Having access to 1.2 billion potential passwords and password combinations means they have some serious data samples to analyse over and convert into better algorithmic approaches to password cracking."

He expanded with the chilling thought that it's going to lead to sentient hacking software able to guess our thoughts, suggesting: "It is a big enough sample size to start accounting for quirks of human memorisation/thought process, simply by virtue of having enough data to form patterns. This is the sort of thing a data scientist would love to get their hands on just to see what sort of patterns they can find."

So the future of hacking is intelligent malware that scans your MP3 collection and uses snippets of lyrics from your most-played songs until one clicks, or scans your Instagram page for beloved pet names and uses those to bust open your Gmail.

Blame Russia

Or, if you listen to VentureBeat reader Owen Brunette, the whole affair is just some fluff piece that came into being because a security firm sent out a press release. He says: "It reads as just another nonsense security story from a PR person at a security company. This one's called Hold Security. The NYT went along with it maybe because Russian things are spicy this week, or somebody somewhere in the chain was fed the story this week for more foreign policy reasons."

And independent security expert Bruce Schneier agrees, saying on his personal blog that it's largely a case of hype gone wild. Commenter Who Benefits thinks it's even simpler than that, and is nothing more than a cloaked an attack on all things Russian, saying: "This story may be a disinformation operation designed to cancel news surrounding Snowden's residency extension in Russia. It neatly steals focus from Snowden while smearing all things generally connected with Russia, hackers, and infosec professionals."