Okay so how do you think they figured out what my (now changed) password was? For reference, it was 20 characters, mixed case, with special characters and numbers. Not used elsewhere, so not from a breach list unless from them. - ThreadSky

beauwoods.com • 71 days ago

Okay so how do you think they figured out what my (now changed) password was?

For reference, it was 20 characters, mixed case, with special characters and numbers. Not used elsewhere, so not from a breach list unless from them.

1 / 2

Comments

josephhall.org•71 days ago

Even if they were to just store a checklist of yes/no composition elements (so not the full password) that would be too much. Huge red flag

beauwoods.com•71 days ago

Yeah agreed.

The only thing I can think is maybe they looked at the last time they were changed and considered them weak based on either the elapsed time or the complexity requirements back then.

chrismarget.bsky.social•71 days ago

"no spaces" is an interesting requirement.

What explains that one?

beauwoods.com•70 days ago

I'm not sure. Might have to do with usability - if you're storing it in a password vault and don't notice there's a space in there you might not type it. Alternately if you're cutting and pasting and get an extra space it's hard to see. Some systems apparently strip spaces to avoid this issue.

itsnotsecure.com•71 days ago

It will seem like a stupid thing to say, but based on those requirements they are placing way too much reliance on a weak form of identification. I'd hope they'd be letting possession or inherence alongside good profiling do the heavy lifting. Rather than trying to make knowledge somehow worthwhile.

iagox86.bsky.social•71 days ago

Every time you authenticate they can see your unhashed password, so it's plausible they checked it then.

But whether it's that or they store it plaintext, this is that reason I wish we'd stop talking about password strength and only worry about uniqueness

beauwoods.com•71 days ago

I hope they're hashing it in the browser. Also, I haven't logged into that account in quite a while so it would surprise me if that's it.

iagox86.bsky.social•71 days ago

Nobody hashes in the browser.

beauwoods.com•71 days ago

Account name is sent (through TLS) in plain text and password is basically garbage so seems like some kind of encoding. What would be the reason to stop short of implementing a reasonably strong hash? Too much processor?

iagox86.bsky.social•71 days ago

Interesting!

Usually TLS is considered enough security.

Hashing before sending solves less than you'd think, because you can't use a strong hash (unless the server provides the same salt every time), and it means that the password hash effectively becomes a password itself ("pass the hash")

beauwoods.com•71 days ago

Yeah that makes sense. There's probably some fancy cryptography that could do different but not significantly better protections. Still begs the question, how'd they flag that password. And why. It wasn't weak by any password standards I know.

Comments

Posting Rules

Reply