The following turned up in my email last night:
The bit I'd like to emphasis is this:Important Kickstarter Security NoticeOn Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password.
Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."Enough computing power?" You're almost certainly using it to read this blog. Given a dictionary and a list of encrypted passwords, it's relatively trivial, especially if you know what encryption method is being used (which if not, it's probably pretty easy to figure out).
Why? Because you don't need to break the encryption. All you need to do is what the site does when it checks your password when you log in: encrypt what you type, see if it matches what's stored. If you encrypt the whole dictionary that way, and compare it against your list of stolen passwords? Watch the matches drop out. In fact? You don't even need the dictionary. Take a list of passwords from say, here, encrypt those... Of course, if you're serious about cracking passwords, you can do better yet.
I can't stress what the KS folks say enough but I'll add to it:
- Change your KS password now. Don't assume its secure just because it isn't a dictionary word or one of the top 100 bad ones!
- If you use that password anywhere else, change it there. Some lowlife out there now has a list of email addresses and encrypted passwords. If yours is one they cracked, where else can they log in?
- Pick more secure passwords everywhere as a matter of course. Because KS wasn't the first, and won't be the last. Your basic two choices are non-dictionary words (and don't just change letters to numbers, either!) or a passphrase...
- If you have trouble remembering passwords, use a password manager like 1Password (which will also generate highly-random passwords for you) or similar.
- If you use a password manager, for heavens sake make sure the one password you DO have to remember (namely its own password for its password store!) is both secure and one you can remember.
 Yes, people with IT backgrounds, I'm oversimplifying :D But unfortunately, so are a lot of web-site developers.
 In fact, you'd be daft to try. Most password 'encryption' algorithms are intentionally one-way for sane levels of computing power, i.e. you can't get the plain text given the encrypted text. Your mileage may vary if you're the NSA or GCHQ.
 Assuming the site is not so stupid as to store your password in clear.
 In case you'd ever wondered why you normally have to reset your password, rather than get the site to send you a new one? This is why. Because any sensible site doesn't KNOW your password. It only knows what it encrypts to, using a 'one-way' algorithm.
 *smiles* *waves*