The guy apparently knew I never checked it, because he publicly gloated about it and even said he's looking forward to ruining my life once he cracked my forum password, assuming I used the same password for everything.
I 'kind of sort of' used the same password. Basically I have 5 levels of security, based on how strongly I feel a site is secured combined with how important the data is to me, and use a different password for each level. Fortunately, the forum used my lowest level password.
Since it's been almost 2 months, and nothing else of mine has been hacked, I'm guessing he hasn't cracked the password yet.
PHPBB uses MD5 hashes for the password. I checked all publicly available MD5 reverse lookups, and my password appeared on none of them, being a combination of non-word characters and random numbers. So I guess I'm covered there.
But to be safe, I went ahead and switched everything over to much longer and even more random passwords, now with 7 levels.
Much to my chagrin, there's a lot of things out there that have maximum password sizes. For example, one of the important sites that I deal with has a maximum password size of 8 characters. What the hell is up with that? (Yes, my old password for that site was 8 characters. Yes, I now know that 8 is much too small).
Furthermore, I'm scared by the sheer number of sites out there that store my password somewhere in a retrievable format. "Click here if you forgot your password and we'll send you your old password in plaintext to your e-mail address! Ha Ha! Security!".
Wow, that's astounding. I never realized how weak most sites out there are when it comes to protecting your passwords.
Am I the only one who takes security at least somewhat seriously? For my recently developed financial manager software, I store files in a GZipped, then AES encrypted file. Passwords must be AT LEAST 8 characters long. I use the 256-bit key version of the algorithm where I salt and hash the password before applying it.
Hell, for BetterMUD 2, a game that I most likely will not finish, I use salted SHA256 passwords, and over the weekend, had a serious inclination to switch it to SHA512 instead.
Furthermore, it scares me that some sites even put in restrictions that they think will make your password more secure, but in reality actually makes it easier to crack! For example, there's a site that says:
1) You must have at least one upper-case letter in your password.
2) You must have at least one lower-case letter in your password.
3) You must have at least 2 digits in your password.
Brilliant. Now everyone knows that they don't have to check all-lowercase, all-uppercase, all-letter, all-digit passwords, and passwords with less than two digits. You just made it EASIER to break in! Furthermore, when you impose rules like that, you just know that most people are going to capitalize the first letter, leave the rest lowercase, and tack on a number at the end, so you really haven't done anything at all!
And finally, the thing that scares me the most:
Why are ATM pins only 4 DIGITS? What braindead moron thought that this could possibly be a form of security?
PS. My calendar still looks like some kind of a fish.
PPS. That wasn't intentional.
