![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jl8eI just got a scam email informing me that my email account had been hacked, they’d taken over my computer, and had compromising websites I’d visited and pictures taken with my computer’s webcam.
Which they don’t.
To prove it, they told me the password to my email account.
Which it wasn’t.
I recognized it as the password for my LJ, which I’d typed in enough times over the years to remember.
So, LJ’s had their password DB stolen, and either they were storing the passwords in plain text, or their hashing algorithm is weak enough that even moderately strong passwords can be extracted. (Probably the latter; DW sent out a message to their users two weeks ago warning about these scam emails, and saying they didn’t believe the compromise was their system, and blaming an unnamed social networking site, which is totally LiveJournal. I only got the scam email today, which suggests that they didn’t have my password for the original wave.)
So, if you still have an LJ account, change the password. If you reused the password anywhere else, change those first.
And use a password manager, and have it generate passwords for you. Human-memorable passwords are simply not secure enough, and my password was not what most people would consider “human memorable.”
(Schemes like diceware and correct horse battery staple are probably still usable, but even with those, how many can you remember?)
Which they don’t.
To prove it, they told me the password to my email account.
Which it wasn’t.
I recognized it as the password for my LJ, which I’d typed in enough times over the years to remember.
So, LJ’s had their password DB stolen, and either they were storing the passwords in plain text, or their hashing algorithm is weak enough that even moderately strong passwords can be extracted. (Probably the latter; DW sent out a message to their users two weeks ago warning about these scam emails, and saying they didn’t believe the compromise was their system, and blaming an unnamed social networking site, which is totally LiveJournal. I only got the scam email today, which suggests that they didn’t have my password for the original wave.)
So, if you still have an LJ account, change the password. If you reused the password anywhere else, change those first.
And use a password manager, and have it generate passwords for you. Human-memorable passwords are simply not secure enough, and my password was not what most people would consider “human memorable.”
(Schemes like diceware and correct horse battery staple are probably still usable, but even with those, how many can you remember?)
