undefined | Better HN

0 pointsRobin_Message12y ago0 comments

It matters a great deal (well, not to me, I don't use the service). Password reuse is common, and the way to fix that is good quality password hashing. If I used OVH, I'd need to change my password everywhere now.

If I used someone competent (i.e. they still have bugs but they use bcrypt), they'd have lost: $2a$10$NkYCXBjWeVP0rJUlfl0VL.d66EvJjbVUA/YEsmBSyTZOnbY0/anxa which is a bcrypt hash of my most secure password.

I'm happy to publish that. The salted SHA-512? Not so much!

0 comments

Tobu12y ago

Password reuse is still bad, your password doesn't have to be breached through a database dump. You could be accessing a compromised site, or get caught by any number of network attacks from stripping to mixed scripting to dumping a stream that doesn't have forward secrecy. https://www.imperialviolet.org/2012/07/19/hope9talk.html

Robin_MessageOP12y ago

My point was, if they hash properly, a simple db dump is not a big deal (although obviously considering the password compromised is sensible, and password reuse is a bad idea which is not a proof people don't do it).

I'm signing out of this thread as my point seems to have been lost somewhere. Thanks for the interesting link though.

makira12y ago

Password reuse is a really bad idea, regardless of how the password is stored. Depending on how the server is comprised, your password could be intercepted before it is hashed. Don't reuse passwords for sensitive stuff.

Robin_MessageOP12y ago

And yet.

eli12y ago

No, the password should now be considered compromised regardless of how it was hashed and regardless of how many other sites you used it on and how annoying it would be to change them all.

agsamek12y ago

> I'm happy to publish that

foolhardiness is not bravery ;)

pavs12y ago

$2a$10$NkYCXBjWeVP0rJUlfl0VL.d66EvJjbVUA/YEsmBSyTZOnbY0/anxa == hunter2

j / k navigate · click thread line to collapse

0 pointsRobin_Message12y ago0 comments

I'm happy to publish that. The salted SHA-512? Not so much!

0 comments

Tobu12y ago

Robin_MessageOP12y ago

I'm signing out of this thread as my point seems to have been lost somewhere. Thanks for the interesting link though.

makira12y ago

Robin_MessageOP12y ago

And yet.

eli12y ago

No, the password should now be considered compromised regardless of how it was hashed and regardless of how many other sites you used it on and how annoying it would be to change them all.

agsamek12y ago

> I'm happy to publish that

foolhardiness is not bravery ;)

pavs12y ago

$2a$10$NkYCXBjWeVP0rJUlfl0VL.d66EvJjbVUA/YEsmBSyTZOnbY0/anxa == hunter2

j / k navigate · click thread line to collapse