undefined | Better HN

0 pointsguscost7y ago0 comments

Did a double take at this too, but they clarified that it means “hashed with a unique salt” later on. Not a good word choice for a summary though!

0 comments

jtmarmon7y ago

Probably written this way because this is a release for the general public. I would imagine most people expect passwords to be "encrypted" and don't know what "hashed" means, and they correctly assumed technical people will keep reading for more info

gsich7y ago

All the more incentive to inform people what hashing means.

hunter2_7y ago

They do indeed, but then for some reason, they also say "this breach may have exposed ... the password you used" [0] which is a statement I think is wholly incompatible with the notion of "hashed with a salt that varies for each user" (but please let me know if I'm incorrect).

They can rightfully say "encrypted" to a lay audience because the definition of encrypted is not so strict as to require decryptability, but why would they say that the password might be exposed?

[0] https://help.quora.com/hc/en-us/articles/360020212652

varenc7y ago

It's reasonable your password might be exposed since the attacker can now perform an offline brute force attack on the password hashes.

How likely it is your password gets brute forced really depends on the hash function used. If it's md5... all but the strongest password could be broken. (though at least the passwords were salted). If they're using something like bcrypt with a work factor of 10+, it's a different story and only the weakest passwords are at serious risk.

The fact that details on the hashing scheme aren't shared makes me assume it's not great...

guscostOP7y ago

If the salts were stored with the passwords, it might be possible to brute-force any single (simpler) password by testing lots of salt+guess combinations. Salting only really protects against rainbow tables (pre-computed guesses for lots of passwords).

ianai7y ago

Who’s password hash would it be? Ie could it be a linked accounts password?

carbocation7y ago

So glad to hear they were following the best practices from the previous millennium.

cornstalks7y ago

Thanks, I missed that tidbit in my initial pass through!

IshKebab7y ago

They don't mention the hash function anywhere so I'm assuming MD5.

jacquesm7y ago

If they don't mention it you could assume any one of the commonly used hash functions.

ynniv7y ago

Sure, but if youre using a good one you usually say what it is. "Salted and hashed" is usually MD5 or SHA1, both of which provide almost no deterrence to brute forcing.

gsich7y ago

So MD5?

j / k navigate · click thread line to collapse

0 comments

jtmarmon7y ago

gsich7y ago

All the more incentive to inform people what hashing means.

hunter2_7y ago

They can rightfully say "encrypted" to a lay audience because the definition of encrypted is not so strict as to require decryptability, but why would they say that the password might be exposed?

[0] https://help.quora.com/hc/en-us/articles/360020212652

varenc7y ago

It's reasonable your password might be exposed since the attacker can now perform an offline brute force attack on the password hashes.

The fact that details on the hashing scheme aren't shared makes me assume it's not great...

guscostOP7y ago

ianai7y ago

Who’s password hash would it be? Ie could it be a linked accounts password?

carbocation7y ago

So glad to hear they were following the best practices from the previous millennium.

cornstalks7y ago

Thanks, I missed that tidbit in my initial pass through!

IshKebab7y ago

They don't mention the hash function anywhere so I'm assuming MD5.

jacquesm7y ago

If they don't mention it you could assume any one of the commonly used hash functions.

ynniv7y ago

Sure, but if youre using a good one you usually say what it is. "Salted and hashed" is usually MD5 or SHA1, both of which provide almost no deterrence to brute forcing.

gsich7y ago

So MD5?

j / k navigate · click thread line to collapse