undefined | Better HN

0 pointsjesboat5y ago0 comments

> you're still sending your full password to the server for verification each time, so if the server is compromised for any length of time your password will be as well.

The key difference between storing plaintext passwords and hashed passwords is that with hashed passwords, you can only compromise users who log in during the interval when the system is compromised, and even then, only for worse compromises (eg if all the attacker gets is arbitrary disk read, compromising hashed passwords would be impossible in most scenarios.)

0 comments

heavenlyblue5y ago

> users who log in during the interval when the system is compromised

Why only then?

SAI_Peregrinus5y ago

Because the server doesn't store the password, only the "password hash" of the password. So if the server isn't compromised during the login there's no way for the attacker to learn the password itself.

j / k navigate · click thread line to collapse