I just got an email about this from Ubisoft, with a link to change my password. Yet another incident to prove that unique passwords and utilities such as RoboForm / Dashlane / Lastpass are a necessity.
I was happy that they included the "you should change your password on all other websites if it is the same" line.
I find that's the biggest hurdle that average users can't grasp, it's not about one website getting hacked.. it's that if your ubisoft password is the same as your email address password then they can now log into your email address, which means they can probably take over every online account you have.
I built an extension to use PBKDF2 and some other cleverness to generate predictable passwords for websites because I was tired of needing "random" passwords for every site and some kind of password keeper that stored them. I'd rather generate the password when I need it, and to do so from a password I have memorized, but which isn't written down or used anywhere else.
I was inspired by a blog post I saw here and ended up creating a chrome web store app and an android app for creating site-specific passwords based on a master password.
The one problem I have is that many websites place artificial restrictions on password length, types of non-alphanumeric characters, requirements on number of numeric digits, etc. It would be nice if there were an updated collaborative list of these artificial restrictions somewhere.
Currently I simply update the password generator to conform to these restrictions whenever I need to create a password for a dumb website.
Ahh. OK. One small nit. Passwords aren't stored, the has is. If you forget your lastpass password, there's no way to retrieve them. I'm OK with this, which is why I continue to use lastpass.
That said, the interface is definitely terrible. It could use a refresh at this point.
What does "the has is" mean? To my understanding, encrypted passwords are stored on the company's servers and they are decrypted on the client-side. I don't know how they're storing their data, but I do know that we never know what the future holds. Those passwords that may be secure on their server today may easily be broken tomorrow.
My apologies. You are correct. I wrote hash(actually typed "has") when I really meant that they are stored encrypted. I forget the algorithm that's used, but my understanding last I looked into it, the encryption lastpass uses is the best available.
