undefined | Better HN

0 pointstyingq4y ago0 comments

>Then I'm not sure what you can even do with those

Assume some end users used the same passwords on other, non-twitch accounts. That's what makes hacked passwords valuable, no matter where they came from.

0 comments

twofornone4y ago

That's something I've wondered - do password hashes tend to be the same across platforms? Is everyone using the same hashing algorithm? Isn't this also what salting is for?

Never implemented auth myself.

tyingqOP4y ago

Yes, the hashes are (usually) different due to different algorithms and/or salts. But, if you've brute forced one by using good guesses, and know the email/userid for other sites, and the user used the same or a similar password...that doesn't matter.

franga20004y ago

If everyone did things the way they're supposed to then no, hashes should never be the same between platforms. Using the same algorithm is likely, but as you said, salting solves that.

But mistakes such as salting with just the username are sometimes made even by very large companies and in that case, hashes could be the same.

evandwight4y ago

Why does it matter if hashes are the same?

That only tells you the passwords are the same.

3 more replies

bduerst4y ago

In a perfect world, no, but lazily someone could skip salting and/or use common hashing functions. IIRC this was a problem at Sony not too long ago.

axpy9064y ago

Pretty much this. If they gain one email/username password combination - they can use it elsewhere.

growt4y ago

If they are properly hashed and salted, they can not.

xorcist4y ago

The point here is that once you brute force the plaintext password, the same password might be used elsewhere.

1 more reply

thaumasiotes4y ago

Password salting has nothing to do with password reuse.

Imagine two people have accounts on each of two websites:

             eBay           YouTube
   
   Alice     sunlight       bobrules
   
   Bob       bobrules       bobrules

A password reuse attack dumps the YouTube database, cracks Bob's password, and then accesses Bob's eBay account. The fix for this is that Bob should use different passwords on his different accounts. Hashing helps by making step 2 ("crack Bob's password") more difficult. Salting does not affect this attack in any way. Note that the attacker didn't bother to dump the eBay database.

The attack that salting protects against dumps the YouTube database, cracks Bob's password, and then accesses Alice's YouTube account.

1 more reply

skeeks4y ago

I would be very deeply concerned if Twitch, a multi-billion dollar company owned by Amazon, does not properly hash and salt the passwords of its users.

isbvhodnvemrwvn4y ago

You don't brute force it, you find the password for accounts with the same e-mail in leaks from other sites and try only those.

tyingqOP4y ago

You can still run those "top billion popular password" lists against properly salted/hashed passwords.

j / k navigate · click thread line to collapse

0 comments

twofornone4y ago

That's something I've wondered - do password hashes tend to be the same across platforms? Is everyone using the same hashing algorithm? Isn't this also what salting is for?

Never implemented auth myself.

tyingqOP4y ago

franga20004y ago

If everyone did things the way they're supposed to then no, hashes should never be the same between platforms. Using the same algorithm is likely, but as you said, salting solves that.

But mistakes such as salting with just the username are sometimes made even by very large companies and in that case, hashes could be the same.

evandwight4y ago

Why does it matter if hashes are the same?

That only tells you the passwords are the same.

3 more replies

bduerst4y ago

In a perfect world, no, but lazily someone could skip salting and/or use common hashing functions. IIRC this was a problem at Sony not too long ago.

axpy9064y ago

Pretty much this. If they gain one email/username password combination - they can use it elsewhere.

growt4y ago

If they are properly hashed and salted, they can not.

xorcist4y ago

The point here is that once you brute force the plaintext password, the same password might be used elsewhere.

1 more reply

thaumasiotes4y ago

Password salting has nothing to do with password reuse.

Imagine two people have accounts on each of two websites:

             eBay           YouTube
   
   Alice     sunlight       bobrules
   
   Bob       bobrules       bobrules

The attack that salting protects against dumps the YouTube database, cracks Bob's password, and then accesses Alice's YouTube account.

1 more reply

skeeks4y ago

I would be very deeply concerned if Twitch, a multi-billion dollar company owned by Amazon, does not properly hash and salt the passwords of its users.

isbvhodnvemrwvn4y ago

You don't brute force it, you find the password for accounts with the same e-mail in leaks from other sites and try only those.

tyingqOP4y ago

You can still run those "top billion popular password" lists against properly salted/hashed passwords.

j / k navigate · click thread line to collapse