Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While true... this is less of an issue if the breached database includes strongly encrypted passwords with individual salts. At least half of them are going to be part of existing breaches, but you aren't going to bother with the rest as it can/will take an exponential amount of time if they are treated properly, leaving top's password safe(ish).


So I am supposed to trust that the random forum I have to sign up for to view the solution of a question securely hashes the password I send them?

That’s pretty much like handing you car keys to a random person on the street and be confident they will take it to the bank and put it in a locker.


Why do you care? It's not like you use the same password for everything right?


I don’t, but the people we try collectively to protect do. That’s why we have 2FA and Passkeys in the first place, because most people will not conform to security best practices


Passwords can leak in many ways other than database breaches. Malicious front-end code and accidental logging that goes to a public place like an S3 bucket are two examples.


It's also less of an issue if the passwords never get leaked at all. The question is how much of a bet you're willing to make on the security practices of all of the sites where you have an account following this practice, and at least to me it doesn't seem like a smart.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: