undefined | Better HN

0 pointstempestn9y ago0 comments

Do they say somewhere that they're only using sha1 though? That's sort of what I meant: if bcrypt or scrypt is used, with an appropriate work factor, the risk should be very minimal. The fact that they're assuming it's not suggests they are using weaker encryption.

0 comments

runesoerensen9y ago

Yes they said that in the first paragraph of the incident report you posted a link to ;)

Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak

Also, hashing != encryption

tempestnOP9y ago

Ahh thanks. I read the email they sent out, which had very similar content, but omitted that bit. Just skimmed the post itself, but obviously missed that key info.

Interesting that they don't include strengthening their encryption (ok, hashing) in the list of steps they plan to take, but presumably they will.

runesoerensen9y ago

From the same incident report: When users reset their password, we’re going to be hashing it with the bcrypt algorithm with a strong cost value.

1 more reply

j / k navigate · click thread line to collapse

0 pointstempestn9y ago0 comments

0 comments

runesoerensen9y ago

Yes they said that in the first paragraph of the incident report you posted a link to ;)

Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak

Also, hashing != encryption

tempestnOP9y ago

Ahh thanks. I read the email they sent out, which had very similar content, but omitted that bit. Just skimmed the post itself, but obviously missed that key info.

Interesting that they don't include strengthening their encryption (ok, hashing) in the list of steps they plan to take, but presumably they will.

runesoerensen9y ago

From the same incident report: When users reset their password, we’re going to be hashing it with the bcrypt algorithm with a strong cost value.

1 more reply

j / k navigate · click thread line to collapse