undefined | Better HN

story

0 pointshunter2_7y ago0 comments

They do indeed, but then for some reason, they also say "this breach may have exposed ... the password you used" [0] which is a statement I think is wholly incompatible with the notion of "hashed with a salt that varies for each user" (but please let me know if I'm incorrect).

They can rightfully say "encrypted" to a lay audience because the definition of encrypted is not so strict as to require decryptability, but why would they say that the password might be exposed?

[0] https://help.quora.com/hc/en-us/articles/360020212652

0 comments

varenc7y ago

It's reasonable your password might be exposed since the attacker can now perform an offline brute force attack on the password hashes.

How likely it is your password gets brute forced really depends on the hash function used. If it's md5... all but the strongest password could be broken. (though at least the passwords were salted). If they're using something like bcrypt with a work factor of 10+, it's a different story and only the weakest passwords are at serious risk.

The fact that details on the hashing scheme aren't shared makes me assume it's not great...

guscost7y ago

If the salts were stored with the passwords, it might be possible to brute-force any single (simpler) password by testing lots of salt+guess combinations. Salting only really protects against rainbow tables (pre-computed guesses for lots of passwords).