Ugh...

I have different passwords for all of my main stuff (email, photosharing sites, facebook and yes, even consumerist).

Yet despite the fact I have multiple passwords I never seem to forget any of them. It's really not that hard to not use the SAME freakin password over and over.

I wonder if most people truly understand what these data breaches could mean for them.

I have logins and accounts at hundreds of different sites. Literally. I would use different passwords for all of them but then I'd have to write them all down, which would defeat the whole purpose. So instead I use a rotating series of "nonsense words" and numbers depending on what type of site it is. Works perfectly well for me!

AGAIN?!

I am so glad I filled my account with random information and then closed it... After the first breach less than two years ago!

Hell when that happened, I received a physical letter through the mail alerting me to the breach. It seems now Monster doesn't give a crap about employers keeping updated postings on the site*, let alone the safety of their users' personal information.

* When I tried using Monster during my last job search, I found nothing but outdated listings, employers who would never respond to messages/resumes sent through Monster's contact system, and completely irrelevant or bogus jobs.

@nicemarmot617: I do the same thing. Different tiers of security level for the site (banks, e-mail, forums, etc) mean different passwords. More secure passwords for sites I want to make sure I don't lose control to. I usually keep some sort of system.

Monster Cable lost my passwords? Is that why my HDTV keeps showing porn?

What I'd like to know is why the password information in the database wasn't encrypted. It's not that hard to do..

Wait.

Wait a fucking second.

What the FUCK are they doing storing passwords? No. BAD MONSTER.COM.

You store HASHES of passwords. Then, when someone manages to h4x0r your b0x0r, they don't get a whole boatload of passwords!

</Network Security 101>

Yet, strangely, I never see postings for security positions at Monster.

Oh, man...so much for that SPORTS MARKETING POSITION TO $90K+ FIRST YEAR job I've been hoping for.

It's not just irresponsible that they aren't sending out notices, it's VERY irresponsible of them to even store passwords in their database. It's easy, and much more secure, to store a hash of a password, and not the password itself.

The idea behind the hash is that calculating it works only in one-direction: It's easy to convert from password to hash, but extremely difficult to convert from hash to password. When a new user creates their password, we calculate the hash and store THAT. When the user tries to log in again, we take what they enter in the password field, use it to calculate a hash, and compare that to what's in the database. If the two hashes match, the user is allowed in.

The only drawback is that administrators (or users themselves) can't ever "look up" a password... just reset it. But then again, that's a benefit since I don't want anyone with access to a user database (legitimate or otherwise) to see what I used as my password!

@Framling: It took me awhile to realize that, but you're totally right. *Why* are they storing plaintext passwords? This isn't 1994!

Lesson #1, Monster: Never store passwords in plaintext. They should be MD5 or SHA1 hashes, preferably salted hashes if you're storing other sensitive data.

@jrlcopy: I second that emotion.

@Framling: It's frightening how incompetent network admins are when it comes to security. It would blow your mind the kind of things auditors find on a regular basis.

@dragonfire81: I'll usually come up with some incomprehensible string of crap that can be constructed via a series of hints that will only make sense to me (e.g., "...concatenated with last 4 digitss of XXX's phone number from 1994 to the power of YYY's Birthday, MMDD-format, mod the last 2 letters of ZZZ's middle name in ASCII")

Except a little more oblique.

I don't know why this would be a surprise. Every job posting site that I have ever used has ended up "losing" my email.

Sign up on Careerbuilder, monster, yahoo, whatever and two week later you will get that email telling you that you have been selected to be the next accounts manager for some luxury goods company based in carjackistan. All you need is a computer, some idea where the nearest western union is, and your own bank account!

Why do I suddenly have someone calling me every 10 minues to Join Us In Creating Excitement?!?

Why does Monster Cable have my passwords? I am very confused here. I don't think I ever had to log in to Monster Cable.

@coren: No, this is Monster Mini Golf.

I know there are probably quite a few valuable ID's in the lot that was stolen, but it seems kind of stupid...

Let's steal a bunch of IDs for people who have no jobs!
Great! Now I can forge my way into the unemployment line.

I know I know, there are probably a large large number of folks in between, etc etc. it was just a funny thought.

@Ash78: I thought it was Fenway Park's Green Monster.

According to TechUrbia, it looks like it was not job seekers whose information was stolen:

"What was stolen?

This time, just like the attack in 2007, the information stolen was the data of employers, not potential employees (i.e. job seekers). And both hacks were reporting by the same third party company (Symantec)...."

Isn't this the 3rd time in the last year or two? There needs to be a penalty or fine placed on companies that have online services compromised more than once....

by the second time you would hope they learned about value in security.

@coren: Monster Cable hacked Monster's website so they would look incompetent and lose money, so Monster Cable could then sue them out of existence and further prove that no one fucks with the word "Monster" without paying the cable folks... they're kinda like the mafia, only whiny and pointless...

I heard a rumor that Monster Cable has now sued the hackers, claiming they're the only people allowed to try to screw over companies with Monster in their name.

@dragonfire81: Try this, come up with a base alphanumeric password like 3lv1s (Elvis) then either prefix or suffix the first few letters of the site name. So your password for Monster would be 3lv1smon or mon3lv1s or even m3lv1son, etc.

This way you have a separate password for each site, with enough complexity that a hacker can't figure out your password scheme should that password be compromised.

Although I haven't used monster.com in over a year I figured I'd go change my password. My old password was 7 characters long and just a mix of lowercase numbers & letters. So I decide to try to use a password that's something like this:

Xxxxnn.n%nn*nn*nn

Where the X's are letters (and the first one is capitalized) and the n's are all random numbers. So I've got a mix of uppercase, lowercase, 3 different types of punctuation, and 9 numbers, for a password that's 17 characters long. The characters are not a word that could be guessed, and there's nothing in my account that correlates to them. All the numbers are pretty much random and again nothing that correlates to anything in my profile or anything that could be easily guessed (it's not related to my date of birth, my address, my phone number, etc)

Their website claims that this password isn't secure enough and won't let me use it. I've tried about half a dozen variations and since given up because everything I've tried that I consider to be fairly complex is rejected as being too insecure. And nothing on the website states how they determine if a password is strong enough or not. No mention of exactly what is required. I've given up trying to guess what their algorithm is, so I guess I'll keep my old password and hope for the best...

Hopefully their database managers at least used some sort of encoding so only my spam-worthy information is getting circulated around the net at this moment.
Most of my important sites (email, bank, ebay, paypal) use randomly generated passwords anyway so I'm safe there.

@Moosehawk: Me too! Although, I have to think about that when it comes to things like this: If someone got my password for my "money-stuff" tier, they would have my password and potential access to all my financial websites. Not a good way to do it, not that I think about it.

I'm going to go change my passwords now.

@Zeniq: *now that I think about it.

Grr.

@Framling: Let's hope by "passwords" they meant exactly as you stated - the hashes. Not the actual passwords themselves.

Maybe if they had a REALLY FANCY cable it would prevent their sight from being hacked?

@freelunch: Or you know, the old-fashioned way - fire their security guys...

@MacGyver: some people dont live on the internet thus this is not that important. OH no, you got ahold of my resume...

@Framling: THIS TIMES 42 TIMES INFINITY.

How many times are we going to have to go through this? UGH.

I didn't know I needed a password to buy Monster energy drinks.

Weird.

@fogmaster: Do you know how much info is on your resume.

You get my name, address, phone number, where I work, email address, school I went to and penis size (still reading?).

That's a LARGE piece of the puzzle and it's enough to send me to spam hell with the three prong junk attack phone, email and snail mail.

If you delete your account (like I just did), they ask you for the reason before the final deletion. I took the time to tell them that it was because while I know that data breaches can happen, the fact that they stored passwords in plain text and thus made the acquired data more usable was the reason I was deleting. Maybe enough people telling them so will get them to rethink at least that aspect of their security practices.

@Oranges w/ Cheese: It's a good question. One thing I like to do is anytime I sign up to a website, I'll almost immediately do a "forgot password". If they actually email the password, red flag.

@Canino: LOL!!

@BuddyGuyMontag: NICE REFERENCE!!!

You sir are a dedicated reader.

@JGKojak: Is it the gold plated wires?

@Canino:
Why can't they steal my password too?!

@Oranges w/ Cheese: Newp. Clear text.

Clear text passwords.

Full of fail.

I have this vague recollection of a phishing e-mail relating to monster.com about a week or so ago. Could it have actually worked?!?

But the good news is that the quality of their cables hasn't been compromised!

@Framling: Is there any indication FROM MONSTER that they were storing passwords? The bit about changing your password for other sites seems to have been tacked on by other authors, who may not know as much about what happened, or why storing hashes is safer.

FYI we got an email about this at work because apparently monster.com and usajobs (the federal government's online job listings) are linked. So if you have an account with USAjobs you could be affected.

@TheKel:

Do "Employers" have a different logon page than "Job Seekers"? If not, it's unlikely that the passwords were stored in different databases.