@DeveloperMemes If I understand it correctly, the last statement is actually an indication, that the passwords are not safe at this service, since they are stored in plain text instead of hashes. You shouldn't register here at all. Am I correct?

@DeveloperMemes @marmarper If a service is stupid enough to tell you when a password has already been used, it very possibly also stores them in clear text.
But it can also mean that passwords are being hashed, but are not being salted, so by comparing two hashes, you can tell if they stand for the same password. Not using salted hashes makes them vulnerable to attacks that involve comparing hashes to a series of precomputed hashes and allow an attacker that knows the password for one account to get access to other accounts with the same password.

@marmarper @DeveloperMemes the passwords could still be hashed in this situation, but if so they couldn't be salted -- which, these days, is almost as stupid as not hashing the passwords in the first place.

@marmarper @DeveloperMemes you can figure out duplicate passwords even when using salted Argon2.

For every row in the database calculate the hashed password given the user-specific salt. If there's a duplicate you can find it even without storing anything insecure.
It also does not require any brute force.

It's pretty stupid b/c these hash algorithms are purposefully intense in calculations

@DeveloperMemes Now I am thinking about it, these imposed password policies are just facilitating password brute force. if we think about it. We may make the cardinality bigger, but then substract a whole big chuck of possibilities.

Sign in to participate in the conversation
Mastodon

cybre.town is an instance of Masterdon, a decentrialized and open source social media plattform. This instance is especially about tech/cyber stuff and is also available inside the tor network. - The name is inspired by cybre.space.