Comment on Plex got hacked.

• sugar_in_your_tea@sh.itjust.works ⁨12⁩ ⁨hours⁩ ago

  You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.

  So it’s more like this:

  • “p@ssword” + “hakf” + “pepper” -> “hifbskjf”
  • “p@ssword” + “jkjh” + “pepper” -> “gaidjshj”

  If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password: brute_force(“higbskjf”, “hakf”) - > “kdrnskk”. The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.

  Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.

  source

  • moseschrute@lemmy.world ⁨12⁩ ⁨hours⁩ ago

    I actually didn’t realize pepper was a thing. I mostly do frontend. But that’s really interesting!

    source
• Waraugh@lemmy.dbzer0.com ⁨12⁩ ⁨hours⁩ ago

  That’s all you can do though, extend the time it takes to brute force, so I’m not sure what the distinction being made is.

  source

  • ramjambamalam@lemmy.ca ⁨8⁩ ⁨hours⁩ ago

    Response time is critical.

    source
  • moseschrute@lemmy.world ⁨12⁩ ⁨hours⁩ ago

    even if someone brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords

    I think maybe I misunderstood this part. I thought you were suggesting that salted hashed passwords were uncrackable but maybe I misunderstood this

    source

    • Waraugh@lemmy.dbzer0.com ⁨12⁩ ⁨hours⁩ ago

      Gotcha, no, I wasn’t trying to make that claim, it’s just a way to make it more difficult/time consuming

      source