undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointsmikeash10y ago0 comments

It doesn't guarantee it, but it does imply it pretty heavily.

The alternative is that they're smart enough to come up with a clever scheme like hashing your password in both its raw form and when converted to 0-9, but not smart enough to realize how converting your password to 0-9 makes it vastly less secure.

0 comments

4 comments · 1 top-level

kragen10y ago· 3 in thread

No, it's easy for them to convert your password to 0-9 when you enter it on a regular keyboard, before hashing it. It does make it vastly less secure, yes, but it doesn't imply plaintext storage.

mikeashOP10y ago

Isn't that what I said in my second paragraph? As I said, for that to happen, you need people smart enough to come up with that scheme but not smart enough to realize how insecure it is. Possible but unlikely. "Imply" does not require a complete guarantee.

abduhl10y ago

Does it actually make it less secure though? Consider the situations where each password is used:

1. Your password is required online where the full password must be entered and the numerically reduced password is not accepted. This results in no loss of difficulty in the password.

2. Your password is required over the phone where the password is reduced to a T9 password. Despite the fact that the solution space has been cut down significantly (by 33%^n), the password cannot be broken any quicker because the bottleneck for this case is not computational power but rather the phone system. You can brute force all of the passwords in X seconds, but this is irrelevant because you can't try more than 1 password per call and you can't call more than Y times per second.

kragen10y ago

I was talking about logical implication, which does require a complete guarantee. I didn't realize you weren't.

j / k navigate · click thread line to collapse