Kyrusia wrote:Thanks,
[v] and Hobbes. I understand, especially with things like this, you can't ever work under a presupposition of absolute certainty - nor should you. Even if people aren't impacted by this (Thanks for the Data Leak Checker, by the way; that was exceptionally helpful - even for the vast majority of us who only see the pretty green box saying we're effectively safe.), it does serve, I feel at least, as a good lesson to keep up-to-date with your regular password changes and the like.
The reason it's always advised to use a password on NS that's different from your other sites is, even though in reality it is 99.999% probable that your password
is secure, in that 0.001% chance that it isn't, your other services are protected.
Even in the event that your password is leaked, it's in a hashed format, for example:
d1baa9f1cb3e931e735fc91938aea11c
directly translates to
Hellomynameishobbes
(this is not the hash NS uses, i'll go into more detail below)
The server keeps a specific "key" with it that is able to decypher this hash and verify if the password enters matches. Any hacker will just have the hash and will not have the ability to see what the password is from the hash code.
That said, there
are methods to crack hashing. It takes time, but it's doable, particularly in the example of 'dictionary crackers' which litterally go through a online dictionary with numbers added to generate common passwords, often at thousands of tries a second. This is why [violet] previously advised against using common dictionary words as your password, as these are easilly crackable.
(side fact: this is why there is a x amount of tries before you time out of password attempts, is to counter crackers like these which try thousands of combinations a second)Overall, you shouldn't be afraid of your 'plain text' password going anywhere, because it doesn't exist within the software. Hashes are designed to offer you a extra level of security in the event of this exact situation, but they are
not perfect.
(@Violet, The language 'Only (encrypted) password hashes were exposed, not plaintext passwords.' I would reccomend possibly changing as it may put the mindset to people that 'plaintext' passwords are on the server)My tips for a 'secure' password:
1) Don't use dictionary words (see above), even adding numbers won't help (e.g: Fabulous1) as most 'dictionary crackers' will check for this.
2) The longer it is = the more secure the hash
3) Don't use it anywhere else, I am aware this is a lot to ask for, so at the least, use 2-3 different passwords and spread them out.
4)
Important use a different password for your personal things (say, email) then 3rd party sites, say, NS, as both someone getting access to your email gives them more information and Email will likely be the medium you will use to get your NS account back if it is lost, If the hacker has your email password to, then you're SOL.