From: Dale Glass
Ah, not so. True security is when the attacker knows everything but the password, and still has no other alternative but to try to crack it by brute force.
Oh look, something else I already said.
However, as you've so elegantly demonstrated, it's utterly irrelevant in the context of searching a large number of lousy passwords. Once the algorithm is known, results are 20 minutes away.
There is
no password hash algorithm I am aware of that meets that criteria.
From: someone
An actual improvement of security would have been like this: Take the password, and apply various safety checks to it, such as length, presence of digits, presence of dictionary words. If it's bad, don't allow it. This of course will make a lot of people unhappy, but it works.
Of course. I do this. (Actually, I don't. By default, my system makes up a really good password and tells people "this is your password." If they want to change it,
then they get to put up with this.) It would never work for Second Life, though. The "kittens" factor is overpowering.
From: someone
What do you suggest they should have done instead?
If they had shut the entire grid down for two days while they figured out what was going on and posted hourly updates over that interval, it wouldn't have bothered me in the slightest. However, as a realist, I acknowledge that the current forum uproar would be a spring shower compared to the deluge of hate that would have produced. F___ the whiners, security comes first, second, and third.
From: someone
IMO, the proper course of action would have been doing exactly this, but two days ago.
If they had done it two days ago, I wouldn't blink. As it stands, it was done poorly, timed poorly, and appears to have been for the wrong reasons. (Keep in mind they've so far said it was done as an unnecessary precaution because not one shred of evidence that password information was actually compromised.)
If the scenario was that they were investigating for two days and on Friday afternoon, Logreader Linden looked up and said "Uh oh, looks like they got part of the avatar database" and Superimportant Linden said, "Ouch, reset all the passwords right now, I'm not taking any chances" then yeah, I would probably still call it the right move.
Main Entry: 2rash
Function: adjective
1 : marked by or proceeding from undue haste or lack of deliberation or caution
Rash is not the same as
wrong. It's about not thinking things through to foresee the obvious consequences.
Example: It apparently took them about eight hours to come up with an alternative reset mechanism for the chuckleheads who entered bogus security answers. "Not rash" would have been realizing that such a problem was easily foreseeable and doing that
first, during the 48 hour blackout period.
